Slashdot Mirror
DirecTV's Secret War On Hackers
"Allow me to give you some background.
"One of the original smart cards, entitled 'H' cards for Hughes, had design flaws which were discovered by the hacking community. These flaws enabled the extremely bright hacking community to reverse engineer their design, and to create smart card writers. The writers enabled the hackers to read and write to the smart card, and allowed them to change their subscription model to receive all the channels. Since the technology of satellite television is broadcast only, meaning you cannot send information TO the satellite, the system requires a phone line to communicate with DirecTV. The hackers could re-write their smart cards and receive all the channels, and unplug their phone lines leaving no way for DirecTV to track the abuse. DirecTV had built a mechanism into their system that allowed the updating of these smart cards through the satellite stream. Every receiver was designed to 'apply' these updates when it received them to the cards. DirecTV applied updates that looked for hacked cards, and then attempted to destroy the cards by writing updates that disabled them. The hacking community replied with yet another piece of hardware, an 'unlooper,' that repaired the damage. The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card. DirecTV could only send updates to the cards, and then require the updates be present in order to receive video. Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. This was the status quo for almost two years. 'H' cards regularly sold on eBay for over $400.00. It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed their product and using their legal team to sue and intimidate them into submission.
"Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were simply trying to annoy the community into submission. The updates contained useless pieces of computer code that were then required to be present on the card in order to receive the transmission. The hacking community accommodated this in their software, applying these updates in their hacking software. Not until the final batch of updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon.
"Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".
"For more information, visit http://www.hackhu.com."
see this
Unfortunately the smart cards weren't quite "Hal", otherwise we would have heard
I'm sorry Dave, I can't do that
last Sunday night.
You make a number of good points, but they don't apply here. Sure, you have a right to receive and decrypt any of the electro magnetic radiation coming your way. But they also have the right to change the encryption system. They did that and in a very cool way. They didn't run off to Washington and beg for nasty, fascist laws like the DMCA.
Lastly, DirecTV also hit many, many paying subscribers running legit cards with their attack on Sunday. You can be certain that this attack cost them quite a few dollars in terms of cards needing to be replaced as well as the loss of subscribers that they have managed to piss off once again. This is not necessarily true. I sell RCA DSS systems, and about 6-8 months ago, DirectTV started saying that all users had to upgrade to new access cards (i.e. smart cards), that they were going to send out replacements for the old ones (namely the very very old ones, etc). I have not had one complaint yet from anyone that did this upgrade, however, I have had many complaints from users that had old access cards, or 'hacked' cards. This was planned by DirectTV, they just used this ECM as a forced-upgrade option to those legit users who had not already upgraded.
There is so much disinformation in article I just read I can't believe it. Where did you guys get your info? Allow me to put on my shit kickers and point out several flaws with your article.
1. "So much so, that Hughes corp. (the primary owner of DirecTV) decided to create their own smart cards" (They do not create anything NDS is the creator of the card, they were contracted to produce and maintain the security and encryption systems. But you would have know that had you bothered to look on the back of the damn card.)
2. "One of the original smart cards, entitled 'H' cards for Hughes" (The F card was around long before the H card came out. There was a limited number of G cards then came the H it was named H because it was the next progression in the naming cycle. Not some great naming conspiracy.)
3. "The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card" ("Trojanized" you make it sound as if condom man invented it, the correct term for what you describe (write protecting the card) is "stealthed")
4. "Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. (Some 3ms were up for years without being touched)
5. "DirecTV sent 4 and 5 updates at a time"
(Actually there were up to 9 at 1 time)
6. "Many postulated they were simply trying to annoy the community into submission" (Dynamic code updates were recognized long before they were fully active (C2 and D9 nano). Everyone knew it was coming.)
7. "Some estimate that in one evening, 100,000 smart cards were destroyed" (It was a hell oh alot more then that if you include all the VALID subscribing customers that were effected by there botched attempt. You fail to mention that there were almost as many vaild subs taken down as well.)
8. "removing 98% of the hacking communities' ability to steal their signal" (I'm still up and running, emulation is uneffected (Thanks PGM))
8. "To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER" (WRONG, don't know who was feeding you that line crap (oh, yeah the same moron that told you the "H" was for Hughes) the actual code is below)
So get your facts straight, I would've expected better from you guys.
Magician is one of the best in H card modifications. This is what he had to say about what was written to the write-once area starting at address 8000. "Reset the stack to 16h and RET, to resume execution at 0400h to load "00 04 00 09" into EEPROM write register which RETs to 01AFh to enable EEPROM write mode which RETs to 0399h to write 00 04 00 09 to 8000-8003h." Since 00 04 00 09 is not even close to 47 41 4D 45 4F 56 45 52 (the hex version for "GAMEOVER"), and since it was 4 bytes, not 8 bytes, and since the article didn't even discuss emulators, I'm beginning to think it's purposely slanted. For those who give credit to DTV ECM people, they had help from Eddie of Northsat as part of the deal for being busted (in Canada). He has made good progress hacking the HU card.
but stealing tv is wrong
I am so sick of this attitude! It is not "stealing TV". When you steal something, the person that you stole it from no longer possesses it. An example of stealing TV would be smashing a shop window, grabbing a television set under your arm, and running. This is by no means the same thing.
DirecTV are broadcasting their signal over satellite. Whether you pay for their service or not, it gets beamed into your property. If you have a dish, you will pick up the signal. If you happen to have the means of decoding this signal, you can watch their TV shows. How is this stealing? This is no more stealing that watching the Superbowl at a friend's place because he has DirecTV and you don't. Are you "stealing TV is wrong" advocates suggesting that DirecTV should send agents round to their subscribers houses to issue them with an extra pay-per-view bill for any of their friends who happen to be parked on the couch with a bag of doritos watching the game?
No, this is an outrageous abuse. If DirecTV don't have a business model which can earn them a profit as they beam their signal into EVERYONE'S airspace, then they shouldn't be in business, end of story. Or, as they would say, "game over".
Please consider this for a moment: Hughes is bombarding us with their electromagnetic emissions... why shouldn't we be allowed to receive and decrypt them?
I really don't see how this is much different than DeCSS, which seems to enjoy the support of the Slashdot community.
So... stealing motion picture studios' work is OK, but it's wrong to intercept and decrypt electromagnetic signals broadcast through the air? Signals that are being absorbed by our bodies, with still unknown effects.
I'll buy the idea that people shouldn't 'steal' DirecTV's signal when DirecTV allows me a way to opt out of being hit with their sattelite beams. (Please don't suggest that I wear a tinfoil hat. ;)
LASTLY, I haven't seen any mention of how these counter measures have affected paying customers. I know several legit DirecTV subscribers who had their cards stop working after Black Sunday. How does anyone feel about that?
Is it OK for DirecTV to inconvenience paying customers in the course of their battle with the hackers? How many 'civilian casualties' will be tolerated? And is DirecTV going to be giving these people refunds? Probably... if they spend an hour or two on the phone. The customer's time isn't important anyways, right? As long as they're paying their bill...
Most of the comments see to be along the lines of "kudos to Hughes/DTV for beating the hackers at their own game and not resorting to lawyers"
. ht ml
Well, That may not be how it actually went down.
In October the guy who ran Northsat in Canada got raided. There was a consent decreee, and as part of his plea bargain he agreed to act as a consultant to DirecTV.
Although DTV had already been busy implementing the dynamic code, many old timers claim that they see dean's hand in the 4 (that's right 4, not one) ECM's that came down starting last sunday.
So it would seem that the legal system allowed DTV to force a hacker to destroy part of his own creation. Not a clear cut case of DTV defeating pirates with their own engineers. Guess he shouldn't have have a bunch drugs and cash in his house when they raided him hehe.
http://www.legal-rights.org/northsat.html
http://www.legal-rights.org/newspapers/northsat
In fact since most of us DONT get DirectTV and are STILL constantly bathed in its RF emissions Hughes is in the wrong, if anyone is. Mind you, I don't have a problem with them sending the bits to their own subscribers. The fact they they chose a CHEAPER method of distribution to increase their own profits opens them up to this.
Anything being broadcast non-interactively(not two-way like say, a cordless phone), whether tv, radio, or otherwise, is like air as far as I'm concerned. i.e. Not any company's but the peoples.
If the company doesn't like that, make their own customers use over priced less effective measures, like cable, spread spectrum, or other methods.
If the cost of that makes it unprofitable, so be it. The Constitution (Sorry, US centric) gives the right to the PURSUIT of happiness, not the right to it. THere is a difference. Similarly, Hughes can try to make money by giving a service worth paying for. They're not entitled to just because they spent a lot of money.
Think about it. If I fire radiation at your home 24/7 without you asking for it (paying subscribing whatever, and that IS what radio/broadcast energy is) you should have the ability to do whatever you want with it.
They are NOT STEALING. Stealing implies taking something away from someone else. As in they no longer have an object they previously did. These peeople went out and bought their own satellites, smartcards and gizmos. They can fdo anything they want with them.
Xerox did not have to pay all the scribes who were put out of work by copiers, nor did the guy who came up with carbon paper. Just because you used to be able to make money doing something once does not mean you are entitled to keep making money off it forever.
It's a great game they're playing, and I respect the way they're playing it. All the slashdroids whine that companies should use technical means to secure information instead of legal means. DirecTV did just that, and they caught most of the people.
As for my perspective, I have a DirecTV platinum subscription, or whatever they hell they call it, yet I hack my service. Why? Because it's fun.
They got one of my cards, and didn't get four others. This wasn't the final 'game over' for everybody, just for the script kiddies of the card hacking world.
As for the legality of it all... who cares? This shit is fun!
--
"Don't trolls get tired?"
I'm not from the US, so I don't know how the set top boxes are sold in the States, so ignore me if I have things wrong...
Where do these people get the STBs to watch DirecTV from? Generally cable/satellite/etc operators will sell their STBs as a loss leader, aiming to get their money back from subscribtion charges over a lengthy period of time.
Assuming this is how DirecTV is sold in the states, that sounds pretty close to theft to me...
...j
Riiiiiiight....
Stealing and Invading Privacy are two different things.
You should also note that until just a few years ago, it was indeed perfectly legal to listen to any radio transmission you could receive, as long as you didn't divulge the contents. That meant that, yes, you COULD listen to cellphone calls. You just couldn't tell anybody else about the contents. Then, one of the first content-protection laws, ECMA, was passed making it illegal to listen to cell phones. This was a law passed purely for the convenience of the cell-phone companies, so they could say "Yes, we're secure - it's against the law to listen in." It was and is still technically feasible, however. Even old televisions that went above channel 70 could hear cellphone calls. (Note: this law is rapidly becoming moot, since most cell companies are switching to digital as fast as then can go. You could still scan the digital cellphone bands, but it's much harder to listen in. )
I have phone lines that cross my propery, does that mean I can hook into them and get free long distance?
No, because now you're not passively intercepting the radio waves. You're taking active steps to steal service.
You're letting your indignation take over your higher thought processes, plus you have forgotten recent history. Calm down.
As far as I know, according to the law you can still listen to cordless phones, which is nearly as entertaining. And, for a really good time, try scanning baby monitors.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Sooo...
You wouldn't care if I set up a listening post to hear any wireless stuff going on in your house, right? You probably don't care about Echelon and various Internet-based listening posts monitoring your e-mail and where you surf, right?
After all, you are sending your data out over shared space, and if I feel like manipulating it *however I want*, that should be my right.
Yes, no more mobile phones.
That doesn't mean they did anything wrong.
It's how you play the game. Hughes deserves props for doing this the right way - by outsmarting the pirates. Unlike some other industries who combat piracy by buying laws that take away everyone's freedoms just to protect themselves, or force everyone to sell crippled hardware so that their precious media can't be used in a way they don't approve of, these guys stayed with an existing technology and made it work in the face of rampant piracy. My hat's off.
Forcing me to uninstall and reinstall the game IS harm. It's a big waste of my time.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
It is not "stealing TV". When you steal something, the person that you stole it from no longer possesses it.
Consider the infrastructure. Those satellites are expensive. If you are grabbing the service for free, who's paying for the infrastructure and operating costs? Hughes is not the bad guy here. They don't circumvent fair use rights in any way, they provide better service, pricing, and quality than local cable providers and their pay per view is cheaper than (and higher quality than VHS) video rental. Their business practices are not monopolistic (in fact, they have several competitors)
The manual that came with my reciever even listed details of channel allocation, packet format, etc.
This is no more stealing that watching the Superbowl at a friend's place because he has DirecTV and you don't.
That's not stealing because they contracted with your friend to provide the service in exchange for a fee (which was presumably paid). They got theirs and your friend got his. If they decided to bill by the eyeball as you suggest, I would switch to another service immediatly. If they took steps to make sure there wasn't another provider, then I would agree with you.
Punishing the bad guy like the MPAA and RIAA who circumvent fair use rights and play dirty games to kill off competition won't work if they know they'll be punished even if they play the good guy.
If DirecTV don't have a business model which can earn them a profit as they beam their signal into EVERYONE'S airspace, then they shouldn't be in business, end of story. Or, as they would say, "game over".
O.K. they and the regular cable operators should shut down immediatly. You can go back to a glorious 3 channels of $hit mixed with snow to choose from.
There may be some ground to say that DirectTV overstepped its bounds to destroy cards that were at one time rightfully sold.
I imagine that DirecTV's response to a claim would be "Fine, you pay for the service you stole from us, and we'll replace your card". Somehow, I don't think there will be many claimants.
For starters, H cards are damn near indestructible. I've seen one go through a washing machine and still function.
How can a virus wipe out my flash BIOS? After all, it survived a trip through the washing machine! They blew a few fusable links using a charge pump on the chip.
Secondly, even there would be no need to add the offending code bit by bit, you could just send 1 update.
And the pirates would just block it. First, DTV had to get the pirates to accept the updates rather than block them.
Thirdly the destruction of the cards would force Hughes to replace them. Not a cheap move. They'd be opening themselves to a lawsuit from everyone who was willing to say "I hadn't modified my card, honest" otherwise.
And if DTV could prove otherwise (such as the defendant's lack of a DTV account and no history of payments to DTV), the court records will prove that the plaintiff committed a felony. Sort of like the things you see in the dumb crooks shows.
The reason you have never seen an individual (someone not reselling their copied/"stolen" material) is because of the need to prove a loss. This is a major issue surrounding MP3's and the like. Just because a person has copied/decoded/viewed commercial data, it does NOT mean they would have ever paid for it. You can NOT prove a loss of profit, because you can't prove that the person would have ever paid for it at all.
That is true for content protection. However, DTV is a service and so the laws are a bit different.
They are running a commercial enterprise, it's the responsibility of them to come up with a business model which at least covers their costs... It's certainly not the responsibility of any other party to support anyone's business model.
They do that by charging for the service (which wouldn't exist at all if they couldn't charge for it). They also accomplish it by things like the subject of this story. It's not like they're trying to get a TV or VCR tax like some cartels we know. Or like they're trying to sue competing technology into the dirt. They also don't try to squeeze out more than their due by circumventing fair use rights. If they were, I would agree that they failed in their responsability to have a profitable business model.
We need to strongly promote a word or phrase that implies that that person is not one that hacks to undermine a system, but to learn and possibly improve a product. "White hat hacker" I've heard used, but it still has some negative connetation. Of course, even if we come up with such a word, we need to inject it into the mainstream press somehow, and that can only be done by groups that are leading the hacking effect, include Linus, Red Hat, and other distros.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Rob and the gang,
Congratualations on a well-written, engaging news story. Clear, concise, interesting with thrilling narrative, factually informative. This entry is a model for all good Slashdot entries.
Thanks.
Wordnik, a dictionary project which aims to collect
I don't like DirecTV much. I don't agree with the proprietary signal DirecTV uses. I also just plain don't like the service as well as I liked my old Primestar (dammit; why'd DirecTV have to buy them out?)
Neither do I support stealing channel access by the hackers, though. This isn't a fair use issue; the difference is the same as copying a book from a library (fair use) vs. stealing it from the bookstore (shoplifting). Frankly, I think this was an unbelieveably cool move by DirecTV. I do find it somewhat scary that they were actually able to make this work, but what they did is truly an ingenius anti-hack method.
Now, the next question is, when are the hackers going to run around this system too?
----------
actually you can get sued for "protecting" your property/goods by dangerous means.
A liquor store owner was sued (successfully, and for a load of cash) because he put an electrified fence piece over a skylight that was used a large number of times to rob his store during the night.
IANAL, but the law is called something like the "pull-string trigger" law. (i.e. you can't rig a gun to your door so when it's opened the gun fires.)
There may be some ground to say that DirectTV overstepped its bounds to destroy cards that were at one time rightfully sold. I would suspect that their legal department has some sort of "appropriate use" clause. Besides, any one with a functional frontal lobe knows that people were stealing. Those who had their cards fried should think fondly on their time of beating the system, but above all they should respect that DirectTV outsmarted them.
Of course... this assumes that someone isn't right now figuring out a way to reverse the process or come up with a new way of hacking the system. Any way you cut it, this is one of the most interesting and impressive reactions in years. Maybe the cuecat people could take a hint and decide to get smarter instead of making legal threats.
-- Solaris Central - http://w
Tricky. In general, I'd agree with you, but current law doesn't seem to be on the side of Hughes.
*I* think that if you have a computer which you allow to run non-trusted software, and can recieve such software independently of what you do, you're asking for trouble. (although there should still be some kind of minor trespass violation - it's illegal to enter a house with an open door if it's not yours, just not as bad as if you had broken the door down)
On the other hand, it's illegal to hack computers, no matter what sort of crappy security they have. While no intelligent US hacker is going to step forward and sue Hughes for hacking (as they'd quickly get counter-sued for watching it) Canadians may have better luck. I think that it would be rather funny for them to start a class-action suit, as their watching is quite legal but Hughes' hacking still isn't.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
I disagree.
As others have pointed out Hughes is sending the signal to hackers. In fact, they want to send it to nearly everyone, ideally. Furthermore they're sending it as a broadcast radio signal, and that's a public resource.
If you proceed with your logic, you imply that it would be illegal to read billboards on the side of the road (ideally for this argument in the state-owned right of way) if the whim of the owner was that you weren't allowed.
Just as there is a right to free speech, there MUST be in order to actually have such a right function, an equally absolute right to listen. Otherwise you're supporting the opinion that you have a right to free speech, but if the government finds it inconvenient, people who listen can be arrested. (despite the speaker going free) This is a nonsensical propisition you're making, I think we'll all agree.
If a communication is privileged or there is an expectation of privacy (e.g. whispering, talking in a way that cannot reasonably be intercepted outside your home, lawyer-client discussions) I can see making that a minor crime. Generally one that's worse for the government (e.g. tapping w/o a warrant) than individuals.
But sending data across a public medium to virtually the entire continent does not strike me as private. Even the Internet is not private - it's a network of other, smaller networks, and it's hardly possible to believe that communications across it are automatically private. Certainly the most esteemed privacy/encryption experts on the net don't think so.
Once someone recieves such a stream - particularly if it was sent so that they, their neighbors and their countrymen could recieve it - I don't see how it's Hughes' business what's done with it. If they wish to prevent people from seeing it, the best way is to not send it to them at all. The second best way is to heavily encrypt it, but encryption is not a guarantee. It also means that Hughes' business is not TV but decryption software. If someone manages to put out an RE'd version w/o infringing on patents, then that's their right too. We rely on that right to have microcomputers that aren't all sold by IBM.
And furthermore, in Canada, which is what we're discussing, the people there explicitly DO have the right to watch broadcast signals. There's just no two ways about it there. If the law in Pottsylvania were that TV broadcasters had to give out free TV sets to people in order to have a license to broadcast then Hughes would have to either stop broadcasting to them, or start handing out the sets; it doesn't matter if the law is different than US law, sovereign states have the right to have different laws.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
They got a dish and decoding equipment from DirecTV, and presumably (correct me if I'm wrong) signed an agreement not to hack that equipment when they did so.
If you feel like putting up a dish to capture that satellite's signal, go ahead. Manipulate it however you want, too. But unless you can brute force the encryption keyspace or you the transmitting company, your manipulations are not going to get very far.
The question then becomes "what do DirecTV subscribers actually sign to, under what conditions, and when?" I don't use the system, so I'm not going to speculate... but I will point out that their ongoing, "you must communicate with our modem to get the latest decryption firmware updates" service could make it real hard to decode their signal without their help, even if you can purchase the system (with original firmware) while avoiding signing away your rights to hack it.
The difference is simple: DirectTV can beat hackers technically; the recording industry cannot.
DirectTV sends broadcasts over the airwaves, and can send encryption keys for those broadcasts over phone lines on a separate, authenticated channel. Although they cannot prevent legitimate subscribers from recording and sharing the broadcasts they paid for, they can easily prevent pirates from accessing broadcasts they have not paid for (without getting a copy of the frequently changeable keys or a tape/CD-R of the desired program from a legitimate subscriber.)
This is not possible with the recording industry, because they cannot change encryption keys on the media they sell, and they must include those keys with the media or with the players in order to allow the media to be played back even once. At this point it isn't encryption, it's scrambling. And scrambling can always be defeated, as long as we control the hardware. For any non-interactive media that can be played back on a general purpose computer or a sufficiently hackable electronics device, it is simply impossible to enforce "pay per play", "do not copy", etc. with technological measures. Despite SDMI, I think most of them know they can't beat copyright violators technically, and know that the only way to beat violators in court is to with unconstitutional laws like the DMCA that hurt non-violators as well. It's not just evil we're dealing with here, it's desparation.
Click-through agreements have loads of legal, ethical, and practical problems (they aren't made until after you've purchased the product, they aren't an actual signature, the product isn't necessarily run the first time by the owner, it is possible to bypass them by hacking the product before running it and agreeing not to hack it...)
With our cable modem service, at least, there's something like four pages of fine print that they got us to put a physical signature on during installation. I made the (apparantly incorrect, according to other posters) assumption that DirecTV would have their bases covered that way.
Alright, while the story above is 'correct', it's something like reading chapter 6 of a 12 chapter novel, and claiming to understand everything. Alot more has been going on than is shown here. In the beginning, as it were, was the F card. This card was a dumb eeprom, and was hacked so fast it must have made DTV's head spin. The video stream at this time was un-encrypted, and you merely had to convince your receiver to show the channels. This lasted about a year or two, and then a new card began appearing, this was the H series card. This card had a dedicated ASIC on it for decryptiing scrambled content. It was also a 'smart' smartcard, in that it tried to think about commands that were sent to it, and had some basic functions (read, write, compare, etc) that could be called on. Eventually, DTV mailed out new cards to all valid F card owners, and completely removed the older card from service. They also switched to an encrypted video stream, and that was the end of the F card. This new H card was trickier to deal with, but at this time Hughes, who owned DTV, had made another mistake. This was the same card used in some european digital satellite systems, and a great deal of information was alreayd available on it. Hacking it (and these people were hackers, in that they had to reverse engineer a 'black box' device only by watching how DTV interacted with it, even if they used their knowledge for less than stellar purposes.) took less time than DTV would have thought. This is what went on for the years leading up to this story, in that the hackers would enable some new security hole, and DTV would send down an update to close it. Eventually though, DTV realized that there were an unlimited number of holes that could be opened, due to a flaw in the memory checking on the card, (large values would roll back over to zero) and that the programming hardware needed to work with these card had become cheap enough to be a mass market. About this time, DTV went quiet, and the community that hadgrown up around priating DTV satellite signals began to get fat and lazy. When DTV started up again, this time patching the firmware in the receivers to test the H cards unique ID against a list of known bad ID's, and to lock out bad cards if they were found, alot of people were caught by surprise. It was easy enough to overcome this problem, in that you could copy a valid, subscribed cards ID onto an unsubscribed card. Called cloning, this technique had definciecies that had been known for some time, in that part of the cards unique ID was stored into a write once area of the cards EPROM, and couldn't be changed, only masked. Since DTV seemed to have stopped sending down card updates, cloning became popular. In fact, it became the way of doing things. Looking back, it is easy to see how DTV set everyone up for this, allowing cloning to become rampant, because they knew how to kill it. When DTV started up the updates again, some of the original hackers warned heavily against cloning, saying this was tge beggining of the end. Most people, however, were content to simply update to the latest way of activating their cloned card, and content to ignore the number of updates piling up on their card. Once the updates were complete, those early hackers really began to scream about what was going to happen, but still no one listened. And, in the end, it did happen. What DTV did was send down a packet of information, that said: Take this address, and store it in this new location. Then, using the basic features of the card, compare that adress we just stored to an adress at this memory location. If they match, do nothing. If they don't match, set this memory pointer to location X, instead of location Y, where X is a specific part of WRITE ONCE memory. Another packet came along, and said, write some stuff to this memory location (the 'GAME OVER' in this case). If the memory pointer had changed to a write once area, too bad. If not, it was harmless. What was the card comparing? the ID reported by the card and the ID actually valid for the card. This type of kill was instant and deadly. It was also 100% safe, in that anyone using a clonned card was garunteed to be priating the service, and the packet would not, under any circumstance, hurt a valid subscribers H series card. It was so deadly because the area written too is part of the cards boot process. When it first receives power, the card no longer starts in a valid state, instead spitting out useless garbage. There is no way to write to this memory location again, and there is no way to change the cards boot process, because it happens before the interface comes up. I don't believe a magic bullet killed kennedy, but this magic bullet certainly killed all these cards. Well, all is not lost, because a while back, DTV ran out of valid ID's for a H series card, and had to make a new card, dubbed HU. This card is much trickier and much smarter than the H card, but it may also have flaws that can be exploited. Only time will tell, but in a sort of ironic twist, this is again a card from europe. Maybe the american hackers will get another helping hand from oversees, and maybe not. Primitive hacks for it have already started appearing, and the game of tit for tat is already being played out, as DTV shuts down early HU hacks. Don't hold your breath though, the card has remained unhacked in europe for some time. I hope this clears up some mystery. AS DTV did well this time, but they've made huge mistakes int h past that onlye ncouraged hackers to use their knwoledge to priate the system, it was, if you will, a sort of contempt. It was so easy, it was like DTV was daring you to do it.
If you buy a book, that doesn't give you the right to duplicate and distribute that book. What the GPL does is to give additional rights that copyright doesn't give you, but places conditions on the exercise of those rights. What I get annoyed about is stupid click-throughs that profess to take away my rights under the "first sale" principle without giving anything in return.
Actually, these are hackers. They are also crackers. The had an amazing grasp on the technology, and used that knowledge. In fact, it was kind of interesting, because this was a hacker/hacker war. There is a big difference between crackers who are hackers and crackers who are script k1dd13z. Not that cracking is okay if you are a genious, but that even if you don't agree with what's being done, you can at least appreciate the skill with which it was done. This seems like quite an amusing little war, and I'm sure the hackers working for DirecTV got a kick out of it (especially the "GAME OVER" part).
Engineering and the Ultimate
I doubt that's a very large group of users (there may well be a decent number of people who can't get a channel they want, but not that many are willing to mod their receiver over it), but I would be inclined to feel sympathetically towards them. What channels do they lock out geographically (besides local network affiliates)?
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
If you want to design and build your own DirecTV-compatible dish and receiver from components, and write software for it that decodes the video stream, then hooking it up to your TV set and watching for free is not theft in my book. The signals are, as you point out, passing through your property, and you were smart enough to figure out how to do something with them. Enjoy. Hell, get Dish Network too, while you're at it.
But taking DirecTV's own receiver, only made for the purpose of viewing their service by subscription, and then modifying it for free service is theft, plain and simple. By your standard, there should only be free broadcast service (over-the-air commecial TV), because anything else is and should be open for the taking to anyone who can hack a receiver or get their hands on a modded card.
If that's the case, forget pay-per-view (what - life without Wrestlemania?), forget all the premium commercial-free services like HBO - and forget pretty much any reception at all anywhere other than in and near urban areas.
There's a big difference between fair use and theft of service. I should be able to record off my DTV, time-shift as I like with my VCR or Tivo, and not rely on analog streams to do so if everything I have is digital. But there's nothing inherently wrong with paying to get that signal into my house to begin with, so long as I can re-use what I paid for. A different point entirely.
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
On one side, you have folks who hack the hardware to get free service.
:-)
On the other side, you have a company that sells a dish and programming, at pretty reasonable prices compared to cable rates, and wants to get paid for their goods.
Given that's it's at an interesting intellectual game at best to figure out how to hack a DTV smart card system, and theft of service at worst, it just appears that DirecTV has figured out how to win the cat and mouse game once and for all. Good for them. If DirecTV was the only form of television service available (ie., a monopoly), I'd look on theft of service a little more tolerantly, but there's all sorts of TV alternatives out there - broadcast, cable, and other satelite providers.
This is different from, say, the i-Opener hack because the i-Opener hack was fundamentally about hardware. Buying the box did not incur an obligation to use the service (due to a mistake on Netpliance's part), and the hack didn't allow you to steal their service - it allowed you to re-purpose the hardware. That would be like hacking a DirecTV box to work with Dish Network instead. A cool, "because it's there" hack.
So if DirecTV won the war, more power to them. There may be a fine line between hacking and theft at times, but hacking a DTV smart card for free service is definitely on the wrong side of that line.
Besides, stuff like descramblers and smartcards are usually what spammers are filling my emailbox with, and I hate spammers!
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
As a DirecTV subscriber (who pays for the stuff) I agree 100%. Obviously the Hughes engineers are some damn smart guys, and the TV pirates (let's use the right terminology here - /. gets caught up about "hackers" not being evil enough that it's ridiculous to call the pirates that) are not as smart.
I have zero respect for these pirates. They could be applying their skills to the next piece of free software, while instead they're just trying to get free TV. What a waste.
It's just that all people who had their cards ECM'd chose to manipulate the signals in such a way that it destroyed their equipment....
;-)
Damn but it's nice to see a company that's willing to fight on the technical ground rather than running to its lawyers at the first sign of trouble. That's downright brave and honourable, there.
Say what you may about the real and supposed sins of DirecTV and its crackers, they were fighting the war on its technical merits rather than with hordes of lawyers. That's good stuff. It's nice to see a company with the integrity to defend itself within its market and its product rather than look for protection from above.
--G
Let's not make the same linguistic mistake we despise when the average reporter gets it wrong.
[ObDisclaimer: my employer has business relationships with DirecTV, but I do not speak for them]
...it is a thing of beauty... Not because of who won or lost, but because of the elegance with which it was done!
[someone should forward this article to the "Beautiful code" guy!]
Yesterday, we were discussing how we can hack new DirecTV tuners to allow HDTV resolution on analog ports.
Does anyone else appreciate the irony of both events happening in the same week?
They ARE saving money by buying a hacked card. Hacked cards give you PPV movies, Pr0n channels, Football games, etc. Channels that can cost upwards of 35-50 bucks for just one event, for one day, like a boxing match. And of course Local channels from East Coast or West Coast time zones that you can't get even if you are paying.
Either way, I'm sure most hackers just love a good challenge.
Watch out - the DirecTivo does not record your OTA broadcast signals. It only records the channels you get from the satellite. So, if you don't get the network channels from your dish, then you won't be able to Tivo them (or, I assume, use the Tivo remote to change to the OTA channels).
True, but that's not as bad as it sounds. I don't really need the OTA broadcast signals, since my local stations (Cincinnati area) are available off the satellite. (Same for 30-40 other local markets already.) Of course, they don't carry the local PBS station, but the national PBS feed is available. They don't carry the WB station, but I never watch that anyway!
Once I found that out, I ended up getting the Sony DNR Tivo system. It interacts perfectly with the Sony SAT-B2 receiver, and my OTA channels. In fact, there is a cable that plugs from the Sony Tivo unit into the Sony sat receiver to control it. My one Tivo remote is thus the only one I have to use to get all the channels. Works perfectly.
I've heard a lot of people complain about picture quality with this kind of setup. When the standalone TiVo records something, it does its own MPEG encoding. MPEG is a lossy compression algorithm, and I've heard that re-encoding a decoded MPEG stream tends to exaggerate that lossiness. I'm told that the quality of TiVo recording from OTA broadcasts is better than the quality of the satellite broadcasts.
With the combined DirecTV/TiVo box, it's true that you no longer have an MPEG encoder, but it's recording the MPEG streams as they come off the satellite, without modification. That means no loss of quality playing back the TiVo recordings as compared to watching the content live -- either way, the exact same MPEG data is being decoded for viewing. Even if your setup looks good to you, there's unquestionably some loss of quality inherent in using multiple passes of a lossy compression algorithm. (But if you don't notice it, that's lucky.)
More significantly, DirecTV probably does a better job of MPEG compression than your standalone TiVo can hope to. They've got professional-grade MPEG encoding equipment, and a strong financial incentive to get the best compression possible. (It's a lot cheaper to get expensive encoders than to launch new satellites!) Also, I've read that DirecTV does MUCH more intensive encoding on pay-per-view movies because they don't have to do it in real time; they can really optimize both quality and compression when it's done in advance. (I don't know if they do the same thing with other movie channels like HBO or not.) DirecTV also knows (more or less) which content needs to have more bandwidth (e.g. sports) or less (e.g. talk shows), and can optimize compression that way. What's it mean for me? In addition to having better quality for the TiVo recordings, it also means that it's probably going to use the available disk space more efficiently, and without my needing to make any decisions about what quality settings to use. I see this as a good thing.
The one bad thing is the lack of an MPEG encoder for recording sources other than the satellite, but this is not an unreasonable tradeoff. Adding that encoder back in might cost another $200 in the unit price, and I'm not sure it's that important to me right now... But if it's important to you, then it sounds like you have the right setup for your needs.
I had thought that having the satellite receiver and Tivo all in one unit would be a good thing, but I've had absolutely no problems with the setup I've got. If you don't yet have a Tivo system, get it! My wife thought we didn't need it at all, but she is totally convinced now.
My wife was adamantly opposed to it; she considers it a waste of money because it seems no better than a VCR to her, and she's tired of clutter around the house (my fault) and the plethora of electronic devices (also my fault). So I've had to lobby for it for a while now. I think she'll let me get it when I'm done cleaning up the house, which I'm almost done with... (Having invested a good 30-40 hours into this project!)
Assuming she relents and lets me get it, I won't be a bit surprised if she changes her mind and becomes a TiVo convert; I've heard of it happening to other people often enough...
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
Ummm... bullshit! I know more than one legitimate DirecTV subscriber who was knocked off by these ECMs.
Taking out the hackers in only one of Hughes goals with these ECMS. The other was to destroy ALL H-cards, thus forcing their paying customers into upgrading to the HU cards.
But I'm sure they're _real_ sorry for whatever inconvenience they've caused people.
I don't know where you get your information, but they did not destroy all H cards last Sunday. My trusty old Sony SAT-B2 receiver came with an H card, and it still works fine. But I'm a legitimate paying DirecTV customer. Are you sure your friends were really legit?
As soon as I can convince my wife to allow it, I'm gonna upgrade to the Sony SAT-T60 receiver with TiVo -- recording the MPEG streams straight off the satellite is very cool, and I'm dying for that 14-day advance program guide. (I was very annoyed with DirecTV for cutting the guide from 3 days to under 2!) Maybe I'll sell the old Sony receiver after that; the remote codes may conflict with the new Sony, plus the SAT-T60 actually has two DirecTV tuners in it! (But the second one won't work until TiVo gets their act together and updates their software to handle it...)
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
Ever here of the FCC? It's the people's airwaves, and the people here in the USA elected politicians who put the FCC in control of regulating communication over those airwaves.
No, it is not stealing. It is the unathorized use of communications resources set aside for others. Just because something is not stealing does not mean it is not illegal.
The point is that the signal is broadcast to *everyone*, not just paying customers. /stealing/ it, you're merely using a signal in a way that goes against what the originator intended.
You're not
I don't see this as 'theft' in any way - denying *potential* profits, yes, but not theft.
IMO, Hughes did the Right Thing.
The crackers cracked their signal, so they cracked the crackers cracks. I think that's pretty nifty.
--K
Um, no. No single entity "owns" any RF spectrum in the U.S. The RF spectrum is a public resource (like a national park) that is administered by the government because it's a scarce resource and because (although I don't totally buy this) if you let everybody transmit wherever they want, the spectrum will be useful to no one. The portion of the spectrum that DirecTV uses is leased to it by the FCC and gives DirecTV broadcast rights on that band. As far as I know there is no regulation of who can receive on what band, because unlike multiple transmitters, multiple receivers can't really hose the public RF spectrum for everyone else.
True, there are laws about decrypting phone calls but other than that receiving is legal. I don't believe the phone laws apply to DirecTV, unless you know for sure that they do?
As an aside, I don't agree with laws against phone decryption because whether or not there is a law, anyone who is sufficiently motivated can monitor your transmissions. The law provides only the appearance of safety; it doesn't really give you any privacy. Plus of course you sent me those signals onto my property, but that topic's been covered already :)
Your right to not believe: Americans United for Separation of Church and
It's true that DirecTV doesn't have as much money as they otherwise would; but it does not necessarily follow that anything has been stolen from them. Many other events could result in them not getting as much money - an economic slowdown, a competitor with a better product, or even a nasty rumor that their satellites are really being used to track people for the sinister purposes of Major League Baseball. Just the fact that they don't have as much money doesn't make it stealing.
In the normal understanding of a "theft of service", somebody is still out of some physical quantity that they would otherwise have charged for and that they do not just hand out to all and sundry. Theft of cable TV service, for example (and according to the TV industry at least) steals from your neighbors by degrading their picture quality (a measurable, quantifiable thing). Spam is a theft of network resources and hardware resources on a mail server that your ISP charges you to maintain. Trojans or worms are thefts of service in almost the same way, by consuming network bandwidth and host processing power which somebody paid for and somebody else is getting charged for.
But receiving unauthorized satellite broadcasts doesn't deprive anyone of something they are being charged for. Your neighbor's signal is not any more degraded, DirecTV doesn't have to spend any more money than they would have otherwise to achieve national coverage, and the producers of the TV content are already getting paid by DirecTV under terms that were mutually agreeable to both of them. From all of these people's perspective, things are just the same as if you didn't have a DirecTV at all.
This doesn't mean that I disapprove of Hughes' actions in this case - I think they are entirely within their rights to police their hardware under any means that are permissible under the contracts they have with DirecTV subscribers, assuming that they have such contracts (although I don't think they have the right to modify the customer's lawfully purchased software or hardware without the customer's permission in the absence of a contract allowing it). I just don't think Hughes should be surprised when other individuals make use of the bits that DirecTV is flinging around so profligately, considering that those bits would just "go to waste" anyway.
I have to add, though, that it's nice to see a company whose initial response was not "send in the lawyers". Duking it out hacker a hacker is the way to go on this, and so much more entertaining for the rest of us without DirecTV or the inclination to hack one.
Your right to not believe: Americans United for Separation of Church and
I'm curious as to how this is really a theft of service. When that term is applied to spam, for instance, the theft occurs when spammers use up the bandwidth of their relays and the time and hardware of the targeted ISPs. In that case you can point to the extra costs that were required based on the actions of the thieves.
However, this satellite broadcast is streaming through all of us all the time. Does just possessing the knowledge to decode these ambient bits somehow make a person a thief? I'll agree that it's unfair to the legit DirecTV subscribers to have to pay for a service that some are getting for free, but I don't agree that decoding bits that are normally present in the environment is theft.
Your right to not believe: Americans United for Separation of Church and
Yes, I would care if you set up a listening post in my house, as your comment implies. However, I think what you meant is would I mind if you set up a listening post in your own house. That's fine with me. And if EMI from my cordless phone or 802.11b LAN reach into your house and you receive them. that's cool too. I don't talk about things on the cordless phone that I don't mind having the whole neighborhood hear. If I'm doing anything "sensitive" over the LAN it's double encrypted (SSH inside of WEP).
So, to answer your question, yes it is your right to listen to any radio transmissions that travel thru your house. At least in my opinion. Current US law does not reflect my opinion.
I find the whole idea that somebody can broadcast information over the radio waves to their whole neighborhood (or in the case of DirectTV, a whole continent) and have any expectation of privacy with respect to that information. That's just stupid. It's like claiming you have an expectation of privacy for a classified ad in the paper.
You don't OWN software, you have a license to use it. Even with so-called FREE software. I can't do whatever I want with GPLed software. I have to abide by the terms of its license. Even if you're just using no-CD cracks, you aren't licensed to do so. You might as well say, "Well, it's INCONVENIENT for me to abide by all of the terms of the GPL so I just won't redistribute my modificiations. After all, I BOUGHT these Red Hat CDs."
The original message was correct: this was a nice piece of reporting for /., although I wouldn't have minded some more technical details.
Even a superficial analysis of the issues surrronding intellectual property makes it clear that those issues are far from simple, and that the current attitudes towards IP in the legal and commercial sphere are often hard to justify. In many cases, especially related to patent law, those who benefit from intellectual property law do so at the expense of the public domain, and could just as easily be labeled pirates.
In this specific case, I agree that what Hughes did was perfectly acceptable and well within their moral, ethical, and legal rights. However, so were the actions of the original hackers of the system. Things get a bit more questionable when it comes to people simply buying a hacked chip to avoid service fees, but even there, "piracy" is not the appropriate term.
So are you saying that you have the absolute right to listen to my cellphone (assuming I had one) conversations?
Yes. And how would you stop someone from doing that, anyway? If you're crazy enough to send private/sensitive information over a public phone line (let alone a cellular phone!), you're likely to get a rude surprise one day.
Take photographs of me through my windows? (My image is traveling onto your property....)
Oh, this one's the killer. You see, this already happens all the time. There was a famous case a few years ago (which, regrettably, I cannot find now) in which a Florida couple were arrested for having sex in their own home with the blinds closed. Apparently, someone snuck up to their window and videotaped them through a hole in the blinds. Because their home was within a certain distance of a public school, it was felt that the children at the school could have seen them. (And that somehow, seeing people having sex is wrong... but that's a different rant.)
Use shotgun mikes to record everything that goes on in my house?
I don't feel qualified to answer that one, as I don't know anything about these "shotgun mikes". Is their use permitted by law? If so, then I'd say yes.
why should descrambling (stealing) unpaid-for content be any different?
Suppose I hand you a piece of paper on which there is some writing (6 paragraphs). I tell you, "You are allowed to read the first two paragraphs, but not the third paragraph. You are also allowed to read the fourth paragraph and the last paragraph, but not the fifth paragraph."
Do you really think I have a right to tell you which paragraphs may read, and which you may not? Do you really think that, if I learned you had read one of the "forbidden" paragraphs, I could win a lawsuit against you?
If I don't want you to read something, I'd better not hand you a paper with those words on it.
If I don't want you to watch a video stream, I'd better not broadcast that video stream into your house.
When you lessen the value of something you are likewise stealing.
When Ford Motor Company started to mass-produce cars, they lessened the value of horse-drawn carriages and accessories. This was not stealing.
We are a consumer based society, and while I will scream about corporate abuse as much as anyone, in this instance we have to protect the rights of the company [...]
This is one of the most depressing things I've read so far this millennium.
A company has no right to make a profit. They especially don't have the right to make a profit by requiring people to pay them money for things that they're giving away to those people.
I know it's fairly common for people to make money this way. In NYC, at least according to some TV shows I've seen, people on the street will wash your car's windshield while you're stopped at a red light, then expect you to tip them. Human nature is such that we will feel some obligation to give these people money (for various reasons which I won't go into here). But there is no legal obligation to pay for this service, because you did not ask for it ("enter into a contract").
Now, to the best of my knowledge, DirecTV hasn't done anything wrong. But neither did the H-card hackers. Nobody was stealing here, and nobody has broken any laws that I know of (apart from the DMCA, but that's not Constitutional... it's an abomination).
Microsoft doesn't own your computer. They could destroy the CD you installed from since that is (supposedly) theirs but the situations are completely different.
The answer to this is still pending. UCITA was an attempt to provude companies like Microsoft with the legal right to remotely disable their software on other people's computers, in the event of lapsed contracts, unregistered copies and the like. At least one state has passed a UCITA-inspired law, but it prohibits the "self-help" (ECM) in the case of "mass-market" software. (You can only use the ECM option if you entered into a contract with the other party.)
So, to the best of my knowledge, Microsoft can't legally destroy your installed copy of Windows ME.
Yet.
You have no right to make a profit.
Nobody can steal that which you have given them for free.
Just because you came up with some "clever" business model that involves charging people money for services, that does not entitle you to compensation from people who figure out how to provide this service for themselves.
I am deeply disturbed to see this bullshit perpetuated by someone outside the US. Previously, I had been operating on the assumption (obviously false) that "the right of a business to make money" was confined to the US.
Once again, for the slow ones: you do not have a right to make a profit, no matter how clever you may think you are, and no matter how long you've been making a profit in the past. If someone out there catches on to your scheme and bypasses it, you lose.
(With all that said, I have to applaud the hackers who work for DirecTV. Unlike certain other industries, they didn't resort to dirty tricks or underhanded legislation -- they simply used what they had, and ingeniously too. I'm not ranting against DirecTV here -- I'm ranting against all those who thought that the H-card hackers were "stealing".)
For all the noise that /. makes over the user of Hacker vs. Cracker, one would think that stealing services would fall into the latter category. While I think that the reverse engineering and cleverness involved in cracking the smartcards is quite impressive, I see no noble motivation, just stealing a service that is quite expensive to develop and provide. The real Hackers in this story work for Hughes.
Ignorance is the root of all evil.
Absolutely! NO argument here...
No.. not the same thign as a public building.
I am not 'using' the public airwaves for anything. transmission is licensed.
I don't dispute that there are laws regarding crypted signals..
I'm saying that it's absurd that I am not permitted to, in my own home, receive a signal being broadcast to me and do *anything I want to it*.
Oh.. I'm not criticizing DirecTV whatsoever! What they did is commendable, for exactly the reasons you stated. They play the game right, they don't try to re-legislate it so that people get the death penalty for decrypting (so to speak).
I have no sympathy either for the hackers.... I'm not at all implying they have a 'right' to the TV broadcast... only implyign that they should be free to attempt to decrypt it if they want to.
Just like 'fair use' laws and copyright... see... what they've done is, insetad of making any and all copyign illegal, they simply said 'it's still legal', but managed to obscurely (at first) make it so that any technical means to defeat their encryption is illegal... which has the same effect as simply making copying illegal.
I think it's about time we had laws that actually state some things as irrevocably LEGAL, rather than simply the opposite.
What do you mean?
I'm referring to DVD as an example. Software that breaks it's encryption, to allow you to make a 'legal' copy under fair use is in itself illegal.. so there is no way to make a legal copy.
So rather than attack the right of people to record at home, they make it technically hard, then make it illegal to break that technology, effectively doing the same thing.
That's what I'm trying to say. This had little to do with DirecTV.
To answer your questions.
YES.
1) yes. Actually, I am 100% allowed by law, in Canada, to listen to your analog cellular calls. Cellphone companies tried to change this, but the crtc was firm: you have no reasonable expectation of privacy by transmitting on public airwaves using standard modulation.
Now.. with Digital phones, and specifically, with Encryption this changes. Under Canadian law, encryption wrapping the conversation indicates that you have a reasonable expectation of privacy, and someone violating that woudl be violating your rights.
Note that the only reason it's protected is because it is encrypted AND because it is a conversation. Satellite broadcast is not the same thing.
Taking photographs, again. If what I see is visible from somewhere I'm legally allowed to be, I'm allowed to take photographs of it. I can photograph anything that can be seen from somewhere I'm allowed to be, especially a public street or my own property.
And regarding 'shotgun' mikes, it depends. If I can hear the conversation of you yelling at your wife, and I'm simply using the mike to amplify it, then I am within my rights to record it. If I can't hear you at all, and use the mike to snoop on you, then that's illegal, because you have a reasonable expectation of privacy.
Sorry... I have to draw a line here. Perhaps it's my Canadian blood talking.. but...
I respect that they put up the satellite, and started the TV service.. however....
THey are broadcasting signals over PUBLIC airspace, including INTO MY YARD. If I feel like putting up a dish to capture that signal and manipulate it *however I want* within my own property, that should be my absolute right (though the law may not agree). If they don't want me to receive the signal, don't broadcast it into my yard. PERIOD.
THe airwaves are PUBLIC.
>! It is not "stealing TV". When you steal something, the person that you stole it from no longer possesses it. An example of stealing TV would be smashing a shop window, grabbing a television set under your arm, and running. This is by no means the same thing.
That is not actually correct. When you lessen the value of something you are likewise stealing. DirecTV is in the business of satellite broadcast television, they hope to make money from this venture. If people begin to acquire their service without paying, they are reducing the value of the service. We are a consumer based society, and while I will scream about corporate abuse as much as anyone, in this instance we have to protect the rights of the company, since to do otherwise would be tantamount to telling DirecTV to get out of business.
-Shieldwolf
just = (My)Opinion.toCents();
There -was- an interruption in service. Upon waking last Sunday, I found two of my DirecTV recievers (both Sony SAT-B1) non-functional, with a notice on-screen to contact Customer Service (extension 721, IIRC). While calling did clear the problem up, it was somewhat disconcerting to have the system in such a half-broken state. I pay for TV, like a good boy, but that doesn't seem to matter. Interestingly, the third reciever (a SAT-A1) survived the hit without episode.
Kid-proof tablet..
Does this explain all the commercials with Johhny Cochran and the guy from "America's Most Wanted"?
I didn't sign a contract when I bought my dish, or when I ordered service.
I ordered over the phone and they didn't inform me of ANY restrictions, let alone ask me to agree to them.
So, the only thing I'm prevented from doing with my Bell ExpressVu dish is that which is prevented by federal law.
It's a service that id software doesn't provide.
So gracious of them to force me to use their validation service when someone wants to play on a server I host.
So I cracked the server. Now it doesn't check.
In a forum on Scary's, one of the id guys claimed I was breaking the law when I mentioned this, yet he was curiously silent when I asked him which law... All I'm doing it modifying software that I own, it's like writing in the margins of a book that I own.
Did anyone tell you, at the store before you bought the dish/box/card, that would didn't own them, that you were only 'renting' them?
If not, you own it.
They can't tell you afterwords that you don't own something which you paid money for.
And offering to let you return it is *not* enough. If they sold it, you own it. Offering an 'out clause' is worthless.
It's not valid in click-throughs, it's not valid in shrink-wrap licenses, it's not valid in anything.
I don't know what contracts you sign when you get the serivce, but buying the dish dosn't require service. and if you're hacking the system, you don't need it.
ReadThe ReflectionEngine, a cyberpunk style n
In fact, I believe that this kind of action on the part of Hughes is the best, when dealing which hackers or whatever. Instead of brining in lawyers, and making laws that stifle freedom, big corporations should hack back. Hughes was a company with enough technical talent to pull this off, but unfortunately the record companies and other media conglomerates were not.
ReadThe ReflectionEngine, a cyberpunk style n
By circumventing DirecTV's security measures one is depriving them of income that is rightfully theirs.
How so? I would never pay for television, and if I were to get one of these devices (as some of my friends have) it wouldn't change the amount of money flowing into DTV one bit. They get Zero dollars from me whether I watch the signal or not.
ReadThe ReflectionEngine, a cyberpunk style n
That dosn't sound anything like Gibson, I'm not saying it isn't interesting, but there is no way it come close to something from the keyboard of William Gibson.
ReadThe ReflectionEngine, a cyberpunk style n
Honestly, DirecTV is very cool about this situation. They even have a guy on alt.dss.hack that TALKS to the hackers and actually goes about in conversation with them. They truly look at this as a game of chess, and I was always intrigued by the complexity of the "war" at times.
To show you how cool things have become... The latest trend in DSS is using emulation software on a PC to intercept the signal and then sending it to your reciever. It truly is an innovative solution!
I swear, words like ECMs (Electronic Counter Measures) that literally destroy cards, and Unloopers (thinks that fix "looped" or destroyed cards") really make this feel like some hollywood hacker movie. But it's not. It's for real! Damn, that is just too cool!
-Nick
There is no real skill involved in what the Canadian hackers are doing. DirecTV was just toying with the hackers, inconvienencing them with looping the cards while they devised the latest scheme.
Hughes are the real hackers ... they were sending packets you couldn't figure out until the damage was done ... and they did it right before the biggest viewing time of the year. Bravo to Hughes ... they beat the "hackers" at thier own game.
You can justify your acts anyway you want, I suppose. But calling yourself "hackers" is an insult to those that truly do possess the skills. Just because I can take someone else's code and write it onto a CD doesn't make me a hacker. Just because you can take someone else's code and write it onto an H-Card doesn't make you a hacker either.
Ok, so what makes a hacker a hacker? IMO, a "script kiddie" is someone who uses a tool to "mostly" auotmate the "hacking" and has a moderate amount of knowledge to be able to use it effectively. They may know how the tool works, but could NEVER make the tool to do it. Hackers make the tools. Hackers have the skill to know how to fix a problem, and make the tools to make that job easier. If you didn't make the tools, you are NOT a hacker. If you can't write code, you are not a hacker. I say this because in your statement, you say that we "have no idea the amount of skill it takes to crack cards." Wrong. I've cracked them myself, using scripts and programmers. But I don't know HOW they work, even if I know WHY they work. Just because I can use those tools effectively doesn't mean that I am a hacker.
The FCC is a US body, and has no jurisdiction over, say, Canada. That's the point of this battle ... most of the so-called "hackers" are in Canada, because they cannot legally pay for DirecTV due to stupid Canadian legislation. But since they can't pay for it, it's technically legal (if not morally ambiguous) to "steal" the service.
Still, everything else you said is right on. Hughes handled this PERFECTLY. Just because Canadians are allowed by their law to "steal" the service, doesn't mean Hughes has to lay down and take it. Fight, man!
If it's encrypted, how do you know it's a conversation until you've decrypted it? I'd like to know exactly what kind of signal would go back and forth between a cell phone and cell tower that does not qualify as some sort of conversation. You can't reasonably defend listening in on scrambled phone conversations by saying that you were looking for the few that weren't conversations. It's a silly argument. You're still invading someone's privacy.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
If they can't convince us their service is worth paying for, then
they'll just have to arrest us and throw us all in jail; because I
really don't care about the interests of every large company and its
consumers who defend it like mindless drones.
So if they can't convince you their service is
worth paying for, it's OK for you to just take it?
If I want to charge you 50 bucks a night for
a hotel room, and you don't think it's worth it,
are you then allowed to just take the room?
And don't even try to compare my use of the word
'kids' to racism. That's ludicrous on face value
alone.
This is the perfect solution to a nagging problem.
Direct TV sells a service. They make money from
the sale of this service, and they provide the
infrastructure, the broadcast, the hardware, etc.
Then, a bunch of kids decide that they want what
DirectTV has, but not at their terms. So they steal
the service. Yes, they stole it. Hell, they
admit it in the article.
So what does DirectTV do? They beat the hackers at their
own game. They outplay, outsmart, and outfox them.
Bravo. They protected themselves and their market
share in the best way possible. In the end, we
can all appreciate the beauty of this particular hack.
Actually, you *are* taking something from them. If you subscribe to thier service, they know what channels you are capable of watching, and can tell the actual HBO people (for instance) that they have 18 million viewers and want to be billed as such (I can only think that as the number of viewers increases the actual cost to the provider decreases due to an increase in effectiveness of advirtising). So its not JUST your monthly billing statement that they are losing out on.
So if they increase thier profits by having more subscribers, you *are* stealing from them, in a very real sense.
Dirk
I keep trying to pick fights, but I can't shake this Excellent karma.
It appears that hackers are now considering a piece of hardware that sits between the DSS receiver and the smart card. It would emulate the damaged area of memory and, presumably, prevent that area from being written to again. You didn't really think the game was over, did you?
Your design to a real part online: Big Blue Saw
Actually... As of the 24th of january (last night) Most of the Hu cards were "Looped." This includes the "dealer" cards, and the one or two semi public scripts that were floating around.
Allot of popular speculation in the DSS hack community is that when Northsat of canada was busted.. (They reportedly had the most advanced HU hack at the time of their bust..) They cut a deal with the guys at northsat, to get all of their HU hacking info, in exchange for lesser prosecution. Mind you, this is complete speculation.
As of right now, its really not worth it to "hack" Dss.. You now need to have a valid emu setup (PC with 2 serial ports running dos, card programmer with a Hcard with a valid Subscription on it , Emu card/wedge to slip in the receiver, and the approproate serial cables.) Plus, theres a nice artifact that causes the loss of 1-2 seconds of video every 30 minutes or so.
I went the paying route a long time ago with my DSS setup, less headaches for me. Many of of Hacking friends lost all of their Hcards in this past sundays ECM. I'm paying the same price for DSS that I would pay for digital cable, and I get more channels.
As a side note, the way the specifically did it. (Way over simplified explanation follows) Was changing the Boot Proms.. They're kind of like a fuse.. they expect X (forgot the #) fuses total, and 3 of the "fuses" to be broken, thus rendering a value of 33 for boot. The ECM broke all of the fuses on the prom and it now has a value of 00, thus rendering the card unbootable, and now totally unfixable.. (It really it, unless you have an electron microscope, and can manipulate gates at an atomic level). These cards cannot be "unlooped" in any capacity.. short of ripping the card apart, and replacing the circuitry.. (a very expensive task, at best..)
No matter how you chalk it up.. (pro DSS, or anti-DSS) you have to admit that Directv exhibited some pure genius with the anti-hacker-measure. And if you're still hardup to get free satellite.. there's always Dish Network.. You need an older receiver, and you have to send it off to a 3rd party for them to extract keys, if I recall correctly. But I think it still works.
http://thepoliticalgeek.com/blog/ Politics for Geeks.
this story is very exciting, i could have sworn it was written by william gibson. i was just thinking of "Burning Chrome", amazing! :-)
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
if you read a lot, you will see that there is a way around this, emulation, basically what happens is that a PROM gets written to, by using emulation to emulate that PROM, we can reverse all the bits DirecTV's toggled back to the original, it is not theortical, it is already out there, those who were smart to get it early are not crying now. But I am sure DirecTV will come up with a smart idea, in the console world, it is possible to write game that can detect different kind of emulators. So they might write code that can detect an emulator. i.e, Emulators usually don't emulate bugs in hardware. ;) It is amazing how a bug in hardware can be used for useful things. :D
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
I would argue that you should have the right to examine thouroughly anything that enters your property and/or your body. You can't have a more basic right than to examine what you are subjected to.
That being said, I don't disagree with what Hughes did. It was very creative, very ingenious, and technologically genious. Had they pursued a legal case over this, I believe they would be in the moral wrong, but the legal right.
Someone will bypass this. It's a new challenge. The DirecTV hack bug has been relit.
Linux - Because Mommy taught me to Share.
At one time in America, it was legal for you to hack and decode any signal that was sent onto your property. I can't remember the name of the act that allowed this, but if an electronic signal was sent onto your property, and you could decode it, listening/watching it was your right.
This is why the old C-band dishes never had prosecutions for descrambling, or why you could listen in to Cellular Telephone conversations. And this would apply to DirecTV too, except it didn't exist when this law did.
Sometime in the mid 90's, a new Radio Telecommunications Act was passed which banned the eavesdropping on cellular telephones and any other signal entering your property that needed to be decoded. Thus, now the old C-Band hackers had become pirates, and the new DirecTV decoding was illegal.
The question is this - do you have the right to translate signals that are travelling onto your property - signals which you did not request?
The old law said yes. The new one says no.
Linux - Because Mommy taught me to Share.
This is true hacker war at its best. The DirecTV hackers vs. the DirecTV programmers. I bet both sides had a great time, and enjoyed the game. The "GAME OVER" message was an especially nice touch.
Someone said that they're within their rights to "illegally" descramble DirecTV's content, because it's broadcast over public airwaves. True, but then, isn't DirecTV also entitled to broadcast whatever they want? If you just happen to be foolish/1337 enough to be running a hacked card, well, thanks for coming out, better luck next time. DirecTV didn't physically destroy the cards, so I don't think the hackers have any grievance in that respect...
Nicely done, on both sides. I think this deserves an entry into the hacker hall of fame.
People providing a service deserve enough to be able to cover the costs of their operation and to make a reasonable profit.
Not in any kind of capitalist free market economy. Here the principle is that both businesses and customers will be self interested. If a business comes up with a good idea they will make money, otherwise they won't and will go out of business.
It is a lot of the same problem...how do you prevent a given behavior when all the resources of that behavior are in the hands of or are accesible to your enemy.
It's also not unknown for a major arms exporter to end up fighting wars against places they previously sold weapons systems to.
What is scary about this is that Hughes is taking the law into their own hands. It seem innocuous enough - they just "destroyed" several thousand bits of hardware
However they destroyed their hardware...
but what is to stop large companies in the future from "arresting" people for doing things they don't like?
That sounds like a rather different behaviour.
DirecTV are broadcasting their signal over satellite. Whether you pay for their service or not, it gets beamed into your property. If you have a dish, you will pick up the signal. If you happen to have the means of decoding this signal, you can watch their TV shows.
What they are doing is both broadcasting the signal and selling a service in decrypting the signal.
It's in their interests to try to ensure that they sell as much of the service as possible. One way of doing this is to make the encryption complex (so that it's difficult for third parties to decrypt, history shows this is difficult in practice) another way is to lobby for the state to grant a legal monopoly on the process of decoding. (And spread FUD about it being "stealing").
Since their situation is unchanged, then I have not stolen from them.
But my situation is changed. I now have a service that I did not have before. Where did I get it? The answer is that I literally pulled it out of the air!
Except that you didn't pull it out of thin air. You either paid another party or applied some skills you had.
Is there a way to direct the signal only to the homes that have valid DirecTV smart cards? I doubt it. This isn't the same as a radio signal where all you need is a mast at your station, this requires an enormous initial investment to send satellites into orbit.
Putting up a mast isn't cheap, putting up the number of masts (including paying rent to all the land owners, all the RF and microwave kit, electricity, etc) you'd need to cover the same area as a satellite probably costs more than using a satellite.
If setting up a transmitter network was cheaper then the company would have set up a transmitter network...
Consider the infrastructure. Those satellites are expensive. If you are grabbing the service for free, who's paying for the infrastructure and operating costs?
They are running a commercial enterprise, it's the responsibility of them to come up with a business model which at least covers their costs... It's certainly not the responsibility of any other party to support anyone's business model.
DirecTV has two things- customers and potential customers. When you pirate their signal you deny them a potential customer- obviously the person pirating is interested in satellite tv- thus meeting your criteria of the person(company) no longer poessing it
Assuming that the "pirate" is actually a potential customer. Maybe they wouldn't buy it anyway. Maybe they could not buy it, e.g. the Canadians.
Also the assumption here is that DirecTV should have a monopoly on these "potential customers".
A clever cracker could then send out a signal to brain-wipe valid user's cards (if they could figure out how to get that signal out anyway).
If someone wanted to be destructive in this way they'd probably prefer to simply reprogram the attitude control on the satellite. Far far more costly for the company to rectify.
A clever cracker could then send out a signal to brain-wipe valid user's cards (if they could figure out how to get that signal out anyway).
If someone wanted to be destructive in this way they'd probably prefer to simply reprogram the attitude control on the satellite. Far far more costly for the company to rectify.
the cards are not permanently damaged. I've read the code. the eeprom is marked to force the card into an infinite loop.
Is this the case, sounds more like the section concerned is more like a fusable link PROM.
You are assuming that people who have pirated something would have otherwised purchased it. This may be more so the case with DirecTV than with software. DirecTV is pretty cheap for the most part, but software is not.
Also in this case there is a catagory of people who could not buy the service in the first place. It's only sold to people in the USA (possibly except Alaska and Hawaii) but broadcast to all of North America. You can't get a satellite footprint to cover stop at a line of latitude... (As most of the US/Canadian and US/Mexico borders are simply lines someone drew on a globe.)
What the poster fails to mention is that the "hacker community" (as he calls these crackers) had a regular little cottage industry going selling hacked H cards and then fleecing their costumers for upgrades each time the card got ECMed.
Sounds like a simple case of commerical competition. So far as the "fleecing" goes, maybe this still has a lower average cost than paying DirecTV.
We are all applauding Hughes for their cleverness. What are we going to say if Microsoft gets this clever?
Be amazed, if it's done by their DNS administrator be astonished...
You used a very poor example. The H-card crackers aren't stealing anything as far as I'm concerned. They are listening to something that is braodcast to them. They aren't breaking into a bank or running over an ATM for its cash. You sending me data. If you don't want me to do anything with that data, don't send it to me!
--
So THAT'S why the satellite system gakked out during the WWF Royal Rumble match at the bar I was watching it at!
Man, I was so pissed, I missed Drew Carey going into the ring by the time I found a new place to watch it!
Does it make you happy you're so strange?
This was a good hack and all, on Hughes' part. I followed this scene for a little while, but quickly became disenchanted when I saw how much time, money and effort was involved, to get free TV, essentially - seemed out of whack to me, so I dropped it long ago (though now I wonder where you can buy just the smart cards to play with - not to steal DSS, but to actually integrate in things - I mean, I can buy the slots all I want from Digi-Key... Anyone have links to real distributors who would sell to individuals?)...
What is scary about this is that Hughes is taking the law into their own hands. It seem innocuous enough - they just "destroyed" several thousand bits of hardware - but what is to stop large companies in the future from "arresting" people for doing things they don't like? How far can this warfare go, when corporate Amerika is able to push through laws like the DMCA, the UCITA, etc? What happens when corporatism becomes the LAW?
This is just the first step - look for M$ to try doing something similar in the future - look for other large companies to try this as well, with all sorts of products - then look for them to really start coming after people...
Worldcom - Generation Duh!
Reason is the Path to God - Anon
That other $5 is for recouping the costs of dealing with pirates. In The Hacker Crackdown Bruce Sterling mentions the costs of credit card fraud in higher credit card fees. Certainly the people who figure out how to crack the DirecTV system are hackers. The rest of the people using those hacks, probably the 98% who lost their cards, are just script kiddies. I respect the hackers, have only disdain for the kiddies.
Best Slashdot Co
Radar detectors are illegal in Virginia.
Best Slashdot Co
Comment removed based on user account deletion
Both the hackers and DirecTV seem to be on sound ethical footing in this particular case. I salute the ingenuity of both sides.
Tom Swiss | the infamous tms | http://www.infamous.net/
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
If you're interested in actually hacking these boxes as opposed to blatant theft of service (not much of a distinction, but, hey, we all gotta rationalize), then you probably don't have much to worry about. I suspect that the 2% that weren't affected were using emulators of the smartcard, quite likely running their own software that they themselves wrote to hack the dish.
*grin* There's gotta be one helluva pissed pile of pirates out there though. The GAME OVER thing is just classic, too, eh! heh heh.
..don't panic
I have a theory, hypothesis whatever.
You see Hughes is a defense contractor. The defense industry is all worked up about Electronic Warfare against our national infrastructure, which now includes the Internet and other telecommunications services. They want to know what if anything they can do about it.
I believe Hughes has been tolerant of this game because it is a testing ground for them. I don't think they are testing their best technology at all, but rather practical technologies that are like the infrastructure already deployed.
It is a lot of the same problem...how do you prevent a given behavior when all the resources of that behavior are in the hands of or are accesible to your enemy. The entire Internet is really this way. Yeah Yeah firewalls blah blah. If you have any IP path out to the net or in to your computer, you have the same problem Hughes has with DirecTV. If you happen to be AT&T, WorldCOM, Sprint, UUNet or somesuch it is a big problem. If you use electricity then you have at least one path to attack the electric company.
If Hughes can solve this problem against a motivated enemy (people who want DirecTV for free) then they have a valuable solution that every government wants to buy. And governments have more money than all possible direcTV subscribers are likely to spend even over a very long time.
Well, there it is, a crackpot conspiracy theory. Worthy of Slashdot IMHO.
Don't post innacurate information
If you do, I swear by my pretty floral bonnet I will end you.
Absolutely brilliant! Kudos to the DirecTV engineers who devised this fantastic plan. They're worthy of the true hacker title in this particular war.
Also forgot to mention that the H cards that were "damaged" this past week may still be salvagable via a hardware setup similar to emulation called a bootloader. The bootloader can basically redirect any packets that are trying to look for this "write once" area on the card that has been closed, essentially building a bridge over the hole that has been blown on the card.
The intelligent members of the community did catch this new code in the stream very early on and had been warning the community for months that the only safe way to survive an ECM was to go to emulation.
With a hacked card, you get unlimited viewing of pay-per-view movies (which cost $3.95 each), unlimited viewing of the sports packages such as NFL Sunday Ticket (which costs $169 per season), unlimited access to the premium channels such as HBO, and unlimited access to the porn channels ($5-8 per movie). A standard subscriber package that includes every channel except for any pay-per-view or sports packages can cost upwards of $80/month. A hacked card that can stay active for several months easily pays for itself. And having the ability to choose from multiple timezones for network programming (NBC, ABC, CBS, FOX) is very convenient for solving schedule conflicts and is not available through legit subscriptions thanks to the ridiculous laws surrounding distant locals.
Nice to see that such an intelligent comment gets a +1 Bonus.
Anyways, where in my summary did I mention that *I* was using any of the systems that I described? Not one single place. As someone that does have some knowledge about this topic, I obviously was able to shed some light on the other side of the story. But then again that would just get in the way of the DirecTV engineers and the holier-than-thou people here that are high-fiving each other and patting each other's backs from the FUD that DTV is spreading. If one were to replace "DirecTV" with "Microsoft" in this story, I can guarantee that attitudes would be different.
And for your info, I was one of the subscribers that had 2 cards knocked out, spent 3 days with busy signals and on hold before I could talk to a CSR, and am now watching OTA broadcasts until my new cards arrive, which I'll be paying at least $78 for. And if I want a refund on any portion of my bill while my service is out, I get to go through the whole process again in order to talk to someone in accounting. While I'm all for companies combatting piracy, it certainly shouldn't happen at the expense of someone who is paying $55 month for the service. And no, I do not blame the pirates. That would be like blaming the pirates for the upcoming "anti-piracy" registration features that MS is including in Whistler. If my local cable company did't suck eggs and if it wasn't too difficult to get on the roof in the dead of winter to remount the dish to be used with Echostar, you can bet I'd fall into the category of disgruntled customer that cancelled. This certainly wasn't the first time I've lost legit subscriptions due to DTV's inability to specifically target their ECM's.
Very interesting theory. I did know that Hughes is a defense contractor, but never really thought to connect the two together. If your theory were true, it certainly would explain some of the very careless and lax actions they've taken in the past when combating piracy.
The card might say that on it, but I'd certainly be interested to see if this claim would stand up in court. The user pays for this card anytime they want a new one, it is not given or "loaned" to the user. When you buy a receiver, you're essentially also buying the smart card also. When your card is somehow damaged, DirecTV charges anywhere from $39 to $89 for a new one. In fact, many subscribers that had their legit H cards hit this past weekend are being forced to pay $89 for a new HU card directly from DirecTV, and DirecTV will refund $50 when they receive the damaged H card. Of course, looking at some recent court cases such as DeCSS and DCMA, I wouldn't at all be surprised to see the courts side with the corporation yet again.
Secondly, the new HU card has recently been hacked to allow for the "3M" scripts that open all channels. DirecTV launched their first attack against hacked HU cards this past week as well, but the community actually learned quite a bit about the HU card from this attack. This HU hack is only available through "dealers" for several hundred dollars, but I'd expect the necessary scripts to become freeware over the next few months. DirecTV will have their hands full once an emulation script is created for the HU.
Lastly, DirecTV also hit many, many paying subscribers running legit cards with their attack on Sunday. You can be certain that this attack cost them quite a few dollars in terms of cards needing to be replaced as well as the loss of subscribers that they have managed to piss off once again.
I mean it must have been a pisser if you were getting free TV but still, that was quite a cool plan.
Can we set-up an interview with the techie that planned it?
...but I wouldn't make the claim that it's RIGHT to watch their content for free. Just because it's digital does't make theft of service (or whatever you want to call it) moral.
Evan
As to whether or not what they were doing should be called and what term best describes them, careful consultation of The Jargon File seems to indicate that they were, in fact, cracking the system, not hacking it. At the same time, however, it's clear that they (mostly at least) weren't script kiddies or warez d00dz. Perhaps more terminology is in order. Maybe hacker-cracker? (Just kidding)
Furry cows moo and decompress.
DirectTV and all the other satellite broadcasters have all bought into the anti-fair-use agenda of the MPAA and the RIAA. DirectTV has recently issued a statement embracing the DVI spec which limits the quality of output to anything other than a display device with an encrypted datastream. They may even go so far as to cripple the over-the-air HDTV receivers that some DirectTV boxes come with in order to be compliant with that spec. Boxes that people paid good money for with the expectation that they would perform the same function tomorrow that they do today.
Furthermore, all the satellite broadcasters have made it clear that they will sue the pants off any company that would dare to make a card for your PC that could receive and decrypt the digital video stream from the satellites (even with appropriate access control). This interefers with my fair use because I could really use such a card in my home-theatre pc (htpc) to digitally scale the video up for better display on my hi-def television.
I, and hundreds if not thousands of others, already use htpc's to scale DVD's up with a quality beyond what any consumer-grade DVD player can do. Some of us also have HDTV tuner cards from companies like HiPix and Hauppauge that let us do the same and time-shift with hi-def tv broadcasts. Then there is the audio-scaling software that will resample 44KHz 16-bit cd (and mp3) audio up to 192Khz 24-bit audio for better playback via high-quality DACs.
I guess my point here is that an htpc is a very functional piece of hardware today, but DirectTV and co are actively preventing people like me from using that functionality with their product.
Sure, it is their choice, but it is an assinine choice and they do not deserve any false accolades for being "fair-use friendly" when they really aren't.
PS, so what if the infrastructure is expensive? Nobody made them put those satellites up there, and there is no god-given, nor government-given right to make a profit just because you spent a lot of money yourself.
When information is power, privacy is freedom.
On the surface (especially through the looking glass created by MPAA/RIAA/etc), it would seem that we should be in favor of the crackers and against Hughes/DirecTV. But that isn't so...
The crackers (in that they cracked the smart card system)in this case have steped over the line into stealing. They are stealing something they did not pay for (the DirecTV service).
On the other hand, with DeCSS, the hackers (in that they wrote the DeCSS hack) are doing noting more than allowing a DVD that they paid for on a system or device that does not have a commercially available DVD player (or has one but they want to write their own).
If this was a story about a hack for a digital video out feed (or something to that effect), that would be different since you are still paying for the video signal. The difference is that the DirecTV card crack is just plaing stealing.
I began following the internet underworld of DSS hacking in 97 when a couple of my older blue collar 'non-tech' friends bought DTV receivers (with fully hacked cards, no less) from one of our towns tv/stereo shops. That was the early days before the RCMP began gestapoing DSS equiptment dealers (shutdown raids with all equiptment confiscated) on behalf hughes/nds.
The DSS hacking scene has a fairly interesting history when you line up the countermeasure events history. There is definitive cycle that has occurred and will continue.
So, did DTV shake off its fleas with this impressive demonstration?
There is hardware available to allow these 'unrepairable' H cards to continue to be used. Supplies are/will be limited but the dealers with this tech are going to make a hugh pile of cash, over the next few months.
Card cycle 3 - HU Card (just beginning) This ECM will push the commercially available HU hack into the mainstream. The future of DSS piracy will likely become a more complex affair especially if DTV continued to develope it's security enhancements when design the HU card. The HU is currently a black box to hackers with only one group widely offering a sucessful hack. This hack was sucessfully ECMed on Sunday so individuals who shelled out the $500usd for a hacked HU are no further ahead. NDS, the company who actually manufactures and developed the F through HU cards, are reportedly on the hook for the cost of a full card swap, if/when the HU card's security is compromised. Sounds like good motivation to learn from the past and anticipate the future.
Most H card emulation systems didn't even blink during the ECM. Those system that encountered problem were easily update to function correctly. The software that is used to facilitate the H card emulation system requires access to the unhacked ASIC on an H card to retrieve decryption packets. Its actually a quasi man-in-the-middle hack with a computer program emulating all the functionality of the H card except for the generation of decryption packets. These are retrieved from a specially programmed H card that has been set up for that purpose alone. The H card is kept in a card programmer and is completely out of reach of DTV. Contrary to most conservative opinions, I suspect this system will continue to sucessfully hack the DSS system until DTV shuts off the H card data stream and switches entirely to the HU card.... Just like it did with the F card.
The software used to emulate the H card was created by one hacker/programmer. This individual also created the original emulation software for the F card. The F card emulator was a true emulator... no smartcard required. The F card emulator worked until DTV shut down the F card datastream. Although far too premature, an HU emulator of sorts can probably be expected in DTVs future.
DTV is gradually improving their security with each success cycle which will probably keep piracy rates in line. Unfortunately, they bought a dog with fleas when they decided to implement their system using tech that was proven hackable years earlier when it was employed in europe by SKY DSS. There are many millions of dollars at stake for both DTV and commercial hackers so its likely this battle will waged for a few years to come yet.
this ofcourse kills the card because in the ROM there is a beginning look that looks to the address of the PROM and if it's not equal to 33 then then goes into an infinate loop. I'm sure someone will come of with a way to cloak the Ram section over the PROM so the card will be read as valid.. it will just take some time.
Also for those who think that any sort of satellite hacking is done by kids in basements while mommy and daddy are asleep, well, that's just ridiculous.. this isn't some ddos hack, little bit of code and your linux pc and you are elite haxor. No, to do this you need both money and some brainpower.. there are only a few key people that understand this and supply the community with the software tools and scripts to crack the signal...oh..and you need to drop cash on either a ISO7816 programmer or unlooper just to get started.. after that you can get your hands on a whole array of equipment to work with the data stream.. and it's not cheap.
hacking satellite was a fun game.. looks like i'm going to have to get a new hobby..
-b
ps... no i don't really know how any of the stuff works. i'm the equiv of a script kiddie in the satellite world.
I'm not looking to start any trouble but I'd be careful when putting words into others' mouth. They simply made use of their technology to make it more difficult to make use of their services at no cost. Sure it's possible "they" might be thinking what you've just stated; but they obviously discovered the economic advantage of putting their technology to work without hunting down and prosecuting violators.
O'Really[?].Net
A company gets it right. Fight back with technology, not lawsuits. I'm impressed with their technical fortitude, and the manner in which they did it. The "GAME OVER" comment in the first 8 bytes was especially showing of a good attitutde towards the whole event.
Of course, it's just a matter of time till the crackers redouble their efforts and beat the new system... "GAME ON"
-Josh
This is the way to "defend" against software piracy. Defeat the hackers in a struggle through technology. Litigation in the courts is just not the way to stop people in the end. I have no problem with people wanting to have their customers pay for their product. I like how DirectTV responded to the piracy. Corporations (RIAA, MPAA, etc): BEAT US TECHNICALLY, NOT IN COURT! It means SO much more.
belive me, such stuff is far more fun than playing normal games ..
;)
It's the best game, because the enemies are not a stupid AI, but humans!
Before you email me, remember: "There is no god!"
They'd be opening themselves to a lawsuit from everyone who was willing to say "I hadn't modified my card, honest" otherwise.
/. community.
Sorry, but you're wrong. Do you think a bank robber can sue a bank who puts a dye pack in his bag of money to render the money useless? Do you think that people who put razor bars around their stereo equipment can be sued by the theif who loses a finger?
Thirdly the destruction of the cards would force Hughes to replace them. Not a cheap move.
What do you think is cheaper: letting people take $30 or $40 per month out of Hughes' pocket by not paying for the service, or replacing a single smart card. I'm not an authority on the subject, but I think making these people pay for 2 months of service would make up for the cost of a new smart card. BTW, is "thirdly" a word?
Finally, the site Michael linked to requests financial support by clicking a paypal link. Sounds like an elaborate setup to fleece the
We're glad Shoeboy is looking out for our interests. Slashdot requests financial support by displaying banner ads, and so do 99% of all other sites on the web. The one in question uses PayPal for its financial support instead of banners. What's the problem?
NO WAY!
Having nearly not noticed when the Royal Rumble was on (as it was not a Sky Sports event they wern't constantly advertising it on their own channels :-) I was sitting in front of the TV half an hour before the show started (01:45) when our entire service went (all channels).....but the service was ok 20 minutes walk away (Dublin 6w)...I waited....I waited....and 20 minutes later I got on my board and did it in about 5 to enjoy the show in plenty of time.
So, can anyone confirm if the time could be a connection, cause I love to freak out the call centres of places like this who don't like to be helpful. I'll just add it to my next call to try and find out where I can find a cable modem service (soon I will be listing addresses from the phone book out to them cause they'll tell you if an address can get it or not, just not where you can get it) and when it'll be where I want it!
Never underestimate the dark side of the Source
Man, it must be pretty cool to work for DirectTV now. Being able to say: I was the one who came up with the plan to lure a whole community of hackers.
Those first bytes should have read: "DirecTV is the ueberhacker! Bow before us".
<grub> Reading
This is just too interesting to let pass. I think I'm going to have to get back into the community again. I don't claim to be a super guru but from what I gather, DTV activated a tweaked the ROM start-up code to check a specific memory location very early in the start-up sequence. The memory location just happens to be an OTP or "write-once" location on the EEPROM. Last Sunday they sent out an ECM that checked 50 or so different memory locations. If any of any of the checks came back with a byte that was different from standard DTV code, it wrote "00h" to the OTP memory location. If all bytes came back valid, the location was written to "33h". If the "00h" is present during start-up, the sequence is derailed and the card goes into a tight loop. During past "FF", "00", and "99" loops, you could hit the EEPROM with voltage spikes and dips to get the memory location to reset itself to default. After it was reset, the ROM would go through the start-up sequence and you could reprogram it. With this new loop, "33h" is not the default. So if you hit it with an unlooper and get the location to reset, it still won't go through the start-up sequence. The DTV hacker community has labeled the ECM as "Black Sunday". This will be fun to watch.
Doh!
To those who are claiming that no 'theft' was going on...
I assume some of you have some experience working for a living. Let's suppose you have contracted to perform a service for someone. They will pay you a certain amount of money, and let's say, you will write a program for them. Let's further suppose that your business model is such that you make money by providing this service to people who otherwise can't or won't produce it for themselves, as there is no cheaper alternative. Alternatives (albeit, not cheaper) might be to learn to program yourself (perhaps too expensive in a time-sensitive manner) or hire someone else (maybe they don't know about the cheaper contract shop down the road).
Now here comes the fun part. Let's suppose that one of two things happens. Either the client figures out how to get the service and foregoes paying you. Not really the case here, because being a client suggests there is a contract. The other case is someone who somehow manages to retrieve your program (your service) and provide it to others at a vastly reduced price. Now, you have put effort into producing this product. Someone else put effort into taking the results of your product and providing them to others. You did not say that it was right to do this. In short, your efforts have been stolen. Yes, you still have your program. But it is quite useless since the people you would have sold it to have now received a duplicate of it for much less.
Imagine if someone took a GPL'd work, made changes to it to suit their needs (these crackers obviously changed the DTV cards to suit THEIR needs), and then sold it without providing the changes. They have violated the intent of the licensing, which was to make all changes available. Likewise, in this case, the licensing intent was to make sure that people who receive the service must pay for what it takes to provide that service. It wouldn't matter in this case that the crackers did make their changes available. The DTV cards weren't under GPL.
In the end, though, it probably doesn't matter. If an explanation is required, an explanation won't really change your mind. Not in this case.
_lpp
Possible new recruits at DirecTV!
I think the bit I like best about this is that DirecTV managed to upgrade their software remotely without cuasing an interruption to the service. THAT was a ballsy thing to do before the Superbowl!
I've been posting on the net since 1994 and I still haven't come up with a good sig!
If you get caught with a radar detector in my state, and it has batteries in it or is plugged in, even if it is not on, you are guilty of a crime. I don't remember the severity off-hand, but it IS a crime.
As far as the theft-of-services goes, there is nothing wrong (or at least shouldn't be) with building your own receiver and decrypting the signal by brute force. If you subscribe to their service and then hack their system to receive channels that are not on your contract, then that is a theft of services. Even though is does not cost them a dime for you to decode that information, it costs them an awful lot that you're not paying to subscribe to those channels. You may think you can walk the line, but the courts will disagree. And then life will go on.
Sure, it takes a lot of effort to hack those cards, but my admiration goes to the Hughes programmers who did their job (protect the content from unauthorized access) and did it with flair.
WARNING: there is a trojan on your
If you decode all of the channels, without their equipment, it's reverse-engineering. If you decode some, with their equipment, it's breach of contract.
If you want to think of some of the apparently screwy yet legally logical things that courts rule, consider a case (American, I don't remember the sub-jurisdiction but it doesn't matter in this case) in which someone was thrown out of a store for collecting price information. In this case, since he appeared in their judgement to be doing more than just comparison shopping, he could have been a competitor trying to undersell them, and they have the right to prevent that if they don't choose to publicly advertise their prices. In other words, you are implicitly invited to their store to buy their products, not to compete with them. The corrolary here is that DirecTV offers you the decoding equipment for the express purpose that you receive only those channels which you have paid for. Perhaps you pay something for the equipment, but it's a loss-leader, and under contract. While I haven't seen the contract, I suspect that in most courts, it would not need to explicitly say "The Customer shall not tamper with the receiver equipment to enable it to receive and decode additional signals." or some other such legalese for the court to agree that such tampering would at the least be subject to civil damages, if not a criminal prosecution.
WARNING: there is a trojan on your
5 days and counting without Vivid TV, I will be forced to go outside.
the congratulation to DirectTV.
They did the right thing. A nice fight, and a regular victory. First round for the hackers, second round for DirectTV.
Waiting for last round, but both side have my support. This is the way the fight should be done.
This recall me the old time of copied adventure games on the Apple ][. There was one (don't remember its name), in which you had to escape from a jail, and the copy protection was smart enough to slighly change the game logic, so you could NOT escape. And there was an (rather hard to find) inscription on the toilet room (IIRC), that said, more or less: "You don't expect beeing able to complete the game with a pirated version, do you ?".
This is the way things should be done. Hardware companies should try to outsmart hackers/crackers which should try to do the same.
Cheers,
--fred
1 reply beneath your current threshold.
If you read even more, you'll realize that a pattern has set in that favors that hackers. In the age of the F card, as DirecTV was replacing them with the new, "unhackable" H cards, the pirate world was shook. Everyone predicted the end. No one knew how to hack these new smart cards. DTV, content, finalized the switchover and turned off the old data stream. The next day, the first "H Hack" was released on the Internet. DTV has spent years hunting down hackers to no avail. This weekend's attack had been predicted, so no one was too surprised, only sad at the loss of a pirate TV. But the same pattern seems to be developing - for a while now the HU card has been under scrutiny to find a hack, but no such luck. But now, with DTV about complete the switchover to HU completely, the first "HU Hack" has appeared, only in commercial settings only. Likely, this card will not stand a concerted attack from the hacker community.
And the big unpublished fact of this attack was that, due to a form of recklessness and carelessness by DTV, the ECM hit not only hacked cards, but many valid H cards!
Is there a way to direct the signal only to the homes that have valid DirecTV smart cards? I doubt it. This isn't the same as a radio signal where all you need is a mast at your station, this requires an enormous initial investment to send satellites into orbit. If you don't want to pay for it, then why should you have it? No-one has a right to satellite TV, you have to earn enough money to afford it, same as most things in life.
My wife and I are pretty happy with the service (other than rain fade margins-- they don't exist!) and think that we made the right choice over going with TWC. One of her teacher colleagues has TWC digital cable, and the picture is awful compared to DirecTV. (Except in those summer monsoons when DirecTV doesn't work at all!)
I have never been comfortable with people getting these kinds of services without paying for them. That monthly bill not only pays for the programming, but also on infrastructure and maintenance. Hughes played a HUGE gamble by launching its DirecTV bird. Unlike cable, satellite systems must have their entire infrastructure in place before they can sign their first subscriber. Cable systems can roll out a piece at a time, and early adoptors help pay to expand into new areas.
The only thing I'd like Hughes to add is a non-Windows bidirectional link for DirecPC and a dual-subscriber discount like TWC has with RoadRunner.
Check here for exactly how the cards were 'destroyed' and for a possible way that they could be repaired... but why would you want to do that?
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
Now Obviously, alot of folks are going to be pissed off because they "lost" the game.
And I am sure that the fine folks at DirectTV are gleeful about the gnashing of teeth and their own clever victory.
Somehow I think this has to been kept quite separate from the other issues dealing with digital media.
People providing a service deserve enough to be able to cover the costs of their operation and to make a reasonable profit. Let those who are without sin cast the first stone. Who has not had dotcom phantasies of obscene wealth? Well how did you expect you would do this? by giving away the homeplanet? or do you want them to spent millions of dollars so that you can enjoy your right to the superbowl and free pr0n?
That being said there is ALSO the issue of fair and reasonable exchange for goods and services. DirectTV certainly has been on the wrong side of the issue as far as some aspects of copy protection, etc.
Some people would rather spend extraordinary effort and money to not not pay for goods and services. In the past, these people were called the 'rich'; it was part of their culture. and now this attitude has dribbled into the rest of society
In the past, much of what has passed for morality has been an effort to help keep people in their place, to help mold them into sheeple. This has been the main thrust of modern education since the education "reforms" at the beginning of the 20th century. All those immigrants had to be educated to be good workers, etc. NOT competitors to the status quo.
This ties in with the DirectTV game because the company, as such, naturally, and perhaps unwittingly, takes advantadge of the situation to impose conditions that are not fair exchange.
People instinctively react, at first, to situations that are not fair. They get mad. and they use this to justify their own attempts to get what they think they are due, and maybe a little bit more. It becomes a viscious circle.Unfortunately, some poeple will never be happy.
"It is a greater offense to steal men's labor, than their clothes"
This looks like poetic justice to me. All credit to DirecTV.
- Hackers will find a way around the new system. They always find a way, and they will have fun doing it.
Doubtful... if you read the article correctly, this last act effectively destroyed the smart cards.What would be cool is if someone found a way to actually revers-engineer and manufacture smart cards that recieved the regular updates, and acted exactly like legit ones, except they didn't dial into DirecTV.
This is the way companies should combat hackers that are "stealing" or "bypassing access control methods"... not tracking them down and suing them, and getting laws put in place to ban things that are useful to the community at large. DirecTV was able to attack hackers without infringing on their paying customers!
"Evil beware: I'm armed to the teeth and packing a hampster!"
Lex orandi, lex credendi.
It looks to me like DirectTV (better known to the a.d.h members as "Dave", and not to be confused with "SuperDave", one of the newsgroup regulars) played an ace they've had up their sleeve for a long time. Apparently the boot code (in ROM) of the 8051 in the chip checks one bit in a 32-bit region of PROM (as in you can program it but you can't reset it) and goes into an infinte loop (I think this is what is being referred to as a "looped" card) early during the boot process. Since this is in ROM where it can't be re-programmed, you can't bypass it.
It seems there's also an ASIC in the card that is crucial to the decoding process. I'm guessing that it has to be enabled by the 8051. And if the 8051 "loops" before you can talk to it, you're hosed.
It also seems that there was a recent move to "emulators", which emulated the 8051, but passed commands to the ASIC through to the real card. That way, as long as the card was alive enough to tell it what to do, you would esentially firewall off the card from any nasty code that wanted to do stuff like program write-once bits in the CPU chip. Some people were arguing recently that emulators were overkill, but it seems they have been proven wrong. The only people with hacked cards that still work either had emulators or were lucky enough to pull their cards in time (or the decoder box was unplugged).
Apparently for a couple of weeks now "Dave" has been downloading code to detect illegal cards and test it (by locking up assorted cards and seeing what kind of results they got) before sending down the "ECM" code which caused the card to kill itself.
As to the timing, it is suspected they chose one week before Super Bowl to allow enough time for legitimate users (or those illegitimate users who wanted the better signal in time for The Big Game) to receive new cards.
Here are two messages I found on the newsgroup about all this: (line art removed from the first one because of /.'s lame filter)
From: ump25@aol.com (Ump25)
Newsgroups: alt.dss.hack
Date: 22 Jan 2001 05:38:13 GMT
Subject: EVERYONE READ THIS! INFO FROM MAGICIAN ET. AL.
Message-ID: <20010122003813.16538.00000761@ng-bj1.aol.com&g t;
From Magician and Hypertek comes the following...
As most everybody is aware, the ability of the dynamic code to execute a kill-type ECM was displayed today on "Black Sunday".
First, the bad news: the ECMs wrote 4 bytes to "write once" area of the EEPROM, 8000h-8003h. Unfortunately, one of the bytes that is changed is 8000h, which is checked extremely early in the ROM startup code (003Fh) to see if it contains "33h". These ECMs re-wrote this byte to "00h", which means that it very quickly enters an infinite loop because "P1.7" is not set. Since this area of the H card is "write once", there is no way to reset this byte back to "33h" to allow normal startup to continue, even by way of an unlooper.
Second, for those interested, here are all the EEPROM addresses that were tested to see if they contained modified bytes. Each byte was tested in its own packet (i.e., one address at a time):2 ,8 D24,8D25,8D32 Ins54 code
code:
- - -
8243 Vector for setting DPTR to ZKT secret vector
8246,8247 Vector for Cmd09 vector
8255 Vector for Ins58 patch vector
8258 Ins44 preprocessing vector
825B Ins44 extras vector
825E Find tier or PPV vector
8264 "EndInsHandling" vector
8273 Cmd1F vector
827C,827D Ins54 vector
8282,8283 Ins18/Ins1A vecotr
8440 First byte of channel blackout data (checked if non-zero)
8582,858C,8593 Cmd60 code
85B7 B7 nano vector
85BE BD nano vector
85C0,85C1,85C2 C0 nano vector
85C3 C3 nano vector
85C6,85C7 C6 nano vector
85E2,85E6,85ED,85EF,85F6 B5 nano code
8606,8608,8611 AddAToDfdNanoBufIfFlOpn code
8630 Deferred Cmd60 processing code
86DD Never-executed portion of old C6 nano code
87A1 Old CF nano jump table
8800 Hash algorithm code
8955 Main loop vector code
8973 Ins18/Ins1A code
8975 Ins54 check code
8982 Setup for Ins38 code
89A0,89A3 Setup for Ins44 code
89A6,89B2,89B9 Setup for Ins4C code
89DF End of main loop vector code
8BFE Cmd0C code
8CC7,8CCA,8CCB Preprocess deferred Cmd60 code
8CD9,8CDE Cmd0B for non-virgin cards code
8CF2,8CFE Ins58 patch code
8D04,8D09,8D0D,8D11,8D14,8D178D1A,8D1D,8D20,8D2
8D66,8D6A,8D72,8D76 Add ASIC bytes to signature hash code
8DD0,8DD3,8E68 Do 1 hash iteration code
8F2F Preprocess Cmd09 code
8F53 Cmd0C patch 1 code
- - -
Here is an example dynamic code packet (for the 8D1Ah address; all of the addresses were tested using similar packets, except for 8440h which used a JNZ instead of JZ):
code:
- - -
C3 nano used to preset RAM locatiosn 10h-1Fh:
C3 0A 00 20 99 03 AF 01 00 04 00 09 | Seed hash only (using 9 data bytes) results in these bytes at 10h-1Fh:
20 99 03 AF 01 00 04 00 09 CB 29 71 06 19 74 D0
Fourth byte loaded in EEPROM write register
Third byte loaded in EEPROM write register
Hi byte of 1st loop return address and second byte loaded in EEPROM write register
Lo byte of 1st loop return address and first byte loaded in EEPROM write register
Hi byte of 2nd loop return address
Lo byte of 2nd loop return address
Hi byte of 3rd loop return address
Lo byte of 3rd loop return address
What 8D1Ah is compared to
The C9 nano looked like this:
C9 10 20 90 8D 1A E0 47 60 08 90 | Write 15 bytes+RET, execute and hash
80 00 78 15 75 81 16 :
which caused this code to be executed:
893C mov DPTR,#8D1Ah
893F movx A,@DPTR
8940 xrl A,@R1
8941 jz 894Bh
8943 mov DPTR,#8000h
8946 mov R0,#15h
8948 mov SP,#16h
894B ret
- - -
Remember, R1 starts equal to 10h. So the above code does the following:
Compare 8D1Ah to @10h (which contains #20h)
If they match, simply return
Otherwise, set DPTR to 8000h
Set R0 to 15h
Reset the stack to 16h and RET, to resume execution at 0400h to load "00 04 00 09" into EEPROM write register which RETs to 01AFh to enable EEPROM write mode
which RETs to 0399h to write 00 04 00 09 to 8000-8003h.
In addition, there was an ECM to detect an H cards running with non-H CAM IDs, although this packet did not loop the card but simply "locked it up" until the next reset:
code:
- - -
C3 nano used to preset RAM locatiosn 10h-1Fh:
C3 0B 00 FE FC 32 00 00 04 AC 01 68 14 | Seed hash only (using 10 data bytes) results in these bytes at 10h-1Fh:
FE FC 32 00 00 04 AC 01 68 14 8A DF A3 AA 81 34
Hi byte of 1st loop return address
Lo byte of 1st loop return address
Hi byte of 2nd loop return address
Lo byte of 2nd loop return address
Hi byte of 3rd loop return address
Lo byte of 3rd loop return address
Hi byte of 4th loop return address
Lo byte of 4th loop return address
The C9 nano looked like this:
C9 12 20 90 83 74 81 60 07 57 70 | Write 17 bytes+RET, execute and hash
05 09 B9 12 F6 22 75 81 19 :
which caused this code to be executed:
893C mov DPTR,#8374h
893F movx A,@DPTR++
8940 jz 8949h
8942 anl A,@R1
8943 jnz 894Ah
8945 inc R1
8946 cjne R1,#12h,893Fh
8949 ret
894A mov SP,#19h
894D ret
- - -
Remember, R1 starts equal to 10h. So the above code does the following:
If first byte of CAM ID is 00, return (everything OK).
Otherwise, AND first CAM ID byte with byte @10h (#FEh)
If result is non-zero (meaning first CAM ID byte is not 01h), go to ECM routine
Otherwise, AND second CAM ID byte with @11h (#FCh)
If result is non zero, go to ECM routine
Otherwise, return (everything OK)
The ECM routine resets the SP to cause the RET to resume execution at 1468h, which RETs to 01ACh, which RETs to 0400h, which RETs to the infinite loop at 0032h...
From: Spacemonkey Gleep <Fictitious@Dont.Bother.Its.invalid> .com>
Newsgroups: alt.dss.hack
Subject: How Write-Once memory works, or "Why H cards hit by the ECM are never going to be fixed"
Date: Mon, 22 Jan 2001 10:56:12 -0800
Message-ID: <Fictitious-402BA7.10561222012001@news.primenet
In response to the umpty-nine-dozen "Why can't we just..." questions about the corrupted write-once area on the card, here's an explanation that may shed some light. (Note to those "in the know": Yes, I'm simplifying things ridiculously. Not everybody playing in this little sandbox is an EE with the knowledge to understand the inner workings of a chip)
A byte of RAM memory is a set of 8 cells that can hold a one or a zero. Which cells have 1s in them determines the value of the byte when you read it. With RAM, you can change the values any time you like. You can think of that byte as 8 switches that can be turned on or off in different combinations to give you various values.
A byte of ROM is similar, in that it's 8 cells that can each hold a 1 or a 0. Unlike RAM, these 1s and 0s are fixed. Instead of the "switches" that RAM has, you can think of ROM as having either a wire (for a 1) or no wire (for a zero). They can't be changed once made. The wire (or lack of one) is a permanent thing.
A byte of Write-Once memory (Also known as "PROM", or "Programmable Read Only Memory") has characteristics of both RAM and ROM. Like RAM, you *CAN* write to it, under certain circumstances. Like ROM, once written, it's **FOREVER**. Think of a byte of PROM as being 8 microscopic fuses.
When the chip is made, all the fuses are "good". If you could see it at the microscopic level, it would look something like this: ( each | is a fuse that isn't blown )
| | | | | | | |
and would have the value FF, or 255 in decimal.
Now, let's say you want the byte to have the value B7 (That's 183 in decimal, and in binary, it's 10110111) To write that value to it, you deliberately burn out two fuses in the byte, leaving it looking like this: (| = unblown fuse, : = blown fuse)
| : | | : | | |
From that point, it would be possible to write to it again, and change the value, *BUT* there's a catch. You can only "blow" more fuses. You can't "un-blow" fuses that are already blown. This means that a number that needs one of the fuses that's already blown out is going to be impossible to write.
So why is this a problem?
Normally, byte 8000 of the H card holds the value 33 (in Decimal, 51. In binary, 00110011) and the byte looks like this:
: : | | : : | |
But after being hit by DTV's ECM last night, the byte is set to 00 - it looks like this:
: : : : : : : :
There's no fuses left to blow out. They're all gone. That means that forever and always, byte 8000 of your ECMed card is going to say "I'm holding the value 00" when asked.
Why this means the card is permanently dead:
VERY early after the card gets powered up and reset, a check is done:
Does byte 8000 hold the value 33?
If the answer to that question is yes, then all is right with the world, and things start happening. The card gets initialized, spits out the ATR string, and then goes into "wait for a command from the IRD" mode. If, on the other hand, the answer is no, then the card goes into an infinite loop that does nothing. If you program in BASIC, it's the equivalent of the line
10 GOTO 10
NOTHING gets done until the next time the card is reset. And then the same thing happens all over again.
This check is in the card's ROM, so it can't be bypassed or changed.
Reprogramming the card won't do anything useful, since the ROM doesn't even get looked at, let alone messed with, by programmers (or unloopers, for that matter) and even if it did, it wouldn't do anything useful, since ROM can't be changed (short of actually damaging it).
So how can it be fixed?
The simple answer: It can't. Congratulations. Your H card is now an ice scraper. Get used to it. Life sucks.
The more extended answer:
If you've got the micro-tools to "rebuild" the blown fuses on the chip, you could go that route, but unless you're a chip manufacturer, or have access to that type of equipment somehow, you ain't got a prayer. We're talking about electron microscopes, tools for depositing single atoms onto the silicon wafer itself, that sort of thing. In other words, trying to do it is going to mean more money, knowledge, equipment, and effort than most any of us are capable of applying to the problem.
In short, last nights ECM was the ECM to end all ECMs. Any card hit by it is toast, and barring someone developing a cheap way to rebuild chips mat the wafer level (which isn't even remotely likely to happen anytime soon) there isn't a thing that can be done about it. Enjoy your new ice scraper.
Or get in touch with me about shipping it to me. I want to dissect it to get the ASIC out of it for some experimenting I want to do.
--
GLEEEEEP!!!!
PGP KeyID: 0x016B6B53 on the keyservers.
http://www.megsinet.net/~kayo/index.html
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
What did the remaining 2% of peope do differently to their cards? How did they escape DirecTV's programmatic code?
I have heard that the name of the new card is the 'football card'. It has been available to buy in Canada with one of the DirecTV dishes and recievers for around $750.00 Canadian. I have also heard however, that the hacking community hasn't figured out how to reverse engineer the new cards and thus design an unlooper. Has anyone else heard of this?
I wonder how long the attack on hackers has been planned for? Is it possible that direcTV has planned this attack for the Superbowl this year and thus the name "Football Card"?
I love the smell of Karma in the morning
"Homo sum: humani nil a me alienum puto"
(I am a man: nothing human is alien to me)
My only political goal is to see to it that no political party achieves its goals.
It's great to see a big corperation fighting back against hackers by using technology instead of legislation. Hughes probably managed to get a few hackers on their side to help them out in this little infowar.
----------
Technoli
please stop slobering all over Dave having busted up all those signal pirate's h cards. ( I know infinite loop and all) Maybe it'll slow down the spam flooding my mail. The folks with a clue already switched to emulation a while ago. As to this whole Hacker/cracker nonsense, does it really matter that much ( except to 14 yr olds who just found out what BO2K is? ) Most people using h card hacks probably have VCR's that flash 12:00. As to folks descrambling Daves signal, he should of used better tech, it's not like someone is tapping a cable; I could understand the argument of theft better if the downlink was only as wide a basketball and only aimed at their paid subscribers. But no, they flood me with unwanted RF, I am going to do as I please with that signal. By the way Dave has run to their laweyrs many times before and has genraly made life miserable for many folks. Well thats my load of scantimonius(sp?) crap for the day.
Because the VC][+ has never been hacked cleanly. Everyone left the BUD (Big Ugly Dish) when the little dishes came out and were easily hacked. There is also the reason that with the BUD you can only watch a channel that is on that bird on multiple TV's. The little dish solved that issue. dave
Hackers will find a way around the new system. They always find a way, and they will have fun doing it.
Some friends of mine (who used hacked cards to steal DirecTV) were telling my wife and I about this last night. They've long tried to get us "in on the act," but we both disagree with the immorality of stealing the signal. Needless to say, I was busting up with laughter as they told us about "black Sunday." (Fortunately, they were rather good humored about the situation.) But what's funnier still was they had just returned from Walmart w/ new receivers that they'd purchased for the express purpose of getting new cards to hack. How funny is that? While I'm sure the hacking community will find some new way to thwart DirecTV, I'm equally sure my friends will go through more cards before it's all over. So how many new receivers do you suppose have been sold this week just for this purpose? Kudos to DirecTV for a truly inspired anti-hack!
I personally believe that any signals that happen to cross the boundaries of my property are mine to do with as I wish, but I also believe that the senders of those signals have the right (and in the case of a commercial enterprise, the necessity) to try and protect those signals.
This should be listed as one of the Top Ten Hacks of all time.
Chris Kuivenhoven is a thief, beware
One wonders how much it costs DirectTV to wage this "war", and whether it's really cost effective. The real goal, it would seem, would be to make it so inconvenient to hack that 99.9% of all potential customers would go the legitimate route. When you start spending a lot of money to get at that last 0.01%, you may be pushing it a little too far to be good business. Only DirectTV knows the real percentages (and their own finances), but if the hacker/cracker community fights back hard it may turn out that this was a poor business decision. Let's not forget that this is a content protection technology that, like all others, can and will be broken. For each DirectTV success, their opponents only get smarter and more determined.
But the way DirecTV shut down the pirates was pure Hacking Poetry. Making them have to update with the trojan that was going to kill them in the end was brilliant! It reads like something from a William Gibson novel.
Slashdot should be ashamed for misusing Hacker in yet another story. These guys were Pirates, there was no technical skill involved in 99% of their activities -- it doesn't take much to follow someone elses directions.
Brian
Remember Lexington Green!
The satalite reciever is more or less a reader/writer to the card. Writing can be initiated by the data stream from the satalite. The dynamic code on the card now has the ability to double check it's own hardcoded serial number against the software number that is created when you hack/clone a card. If they don't match up, then card tells the reciever to write certain bytes called "write-once bytes". These bytes are made in the "off" position, but once thay have been turned on, they cannot be turned off. When the reciever writes these byte, which reside in the boot sector of the card, the card is corrupt and pretty much dead in the water.